πŸ”΄ Critical   ⏱ 5–30 min  Last verified: 20 May 2026
Affected versions: Windows Server 2025

πŸ“– ~2 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution β€” Primary Fix
  7. Solution β€” Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

LSASS on Windows Server 2025 domain controllers spikes CPU, causing broad authentication latency and service disruptions. Logons, Kerberos ticketing, and LDAP operations degrade. Application timeout cascades are common during sustained storms.

Environment & Reproduction

Usually triggered by misconfigured clients repeatedly authenticating, password spray events, or service account lockout loops. Reproduce in lab by generating high-frequency failed auth attempts from multiple hosts. DC CPU rises and auth latency increases.

Get-Process lsass
Get-Counter 'Processor(_Total)% Processor Time'
Get-WinEvent -LogName Security -MaxEvents 100 | ? {$_.Id -in 4625,4771}

Root Cause Analysis

Root causes include abusive authentication patterns from specific systems, directory query inefficiency, or security attacks. LSASS saturation is often a symptom of upstream behavior rather than LSASS defect. Fast source identification is critical for containment.

Quick Triage

Identify top failing source hosts/accounts and whether failures are malicious or accidental. Validate DC health and replication so load can be distributed. Start containment while preserving forensic evidence.

Get-WinEvent -FilterHashtable @{LogName='Security';Id=4625;StartTime=(Get-Date).AddMinutes(-15)} | Group-Object MachineName | Sort Count -Descending | Select -First 10
repadmin /replsummary

Step-by-Step Diagnosis

Correlate failed auth events by source IP, account, and process context. Check for scheduled tasks/services using stale credentials and identify attack signatures. Validate KDC and Netlogon event patterns on affected DCs.

Get-WinEvent -LogName Security -MaxEvents 500 | ? {$_.Id -in 4625,4768,4771}
Get-WinEvent -LogName System -MaxEvents 100 | ? {$_.ProviderName -match 'Netlogon|KDC'}
Get-ADUser -Filter 'LockedOut -eq $true'

Solution β€” Primary Fix

Contain noisy sources, reset affected service credentials securely, and spread auth load across healthy DCs. Apply account lockout tuning only after root source is confirmed. Keep incident and security teams synchronized.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

# isolate abusive host via network control process
Unlock-ADAccount -Identity svc_app01
Set-ADAccountPassword -Identity svc_app01 -Reset -NewPassword (ConvertTo-SecureString 'Temp#2026!' -AsPlainText -Force)
Get-Process lsass

Solution β€” Alternative Approaches

Use temporary conditional access controls or source throttling at edge/security layers if endpoint fixes are delayed. In active attack scenarios, escalate to SOC for blocking and evidence retention. Avoid disabling security controls to reduce CPU.

Verification & Acceptance Criteria

Acceptance requires LSASS CPU returning to baseline, auth latency normalization, and significant drop in failed auth event rate. Business apps must recover without repeated lockouts.

Get-Process lsass
Get-WinEvent -FilterHashtable @{LogName='Security';Id=4625;StartTime=(Get-Date).AddMinutes(-15)} | Measure-Object
Test-ComputerSecureChannel -Verbose

Rollback Plan

Rollback temporary network blocks and emergency credential changes through controlled change path once root cause is eradicated. Re-enable normal routes gradually and observe event volumes. Preserve incident artifacts for postmortem.

Prevention & Hardening

Deploy failed-auth anomaly detection, service account governance, and managed identity rotation policies. Enforce app retry backoff to prevent storm amplification. Conduct periodic attack simulation and DC capacity review.

Illustrative mockup for windows-server-2025 β€” terminal_or_powershell
Diagnostics commands in PowerShell β€” Illustrative mockup β€” Progressive Robot
Illustrative mockup for windows-server-2025 β€” event_or_log_viewer
Event log verification for Windows Server 2025 β€” Illustrative mockup β€” Progressive Robot

Often paired with account lockouts, Kerberos pre-auth failures, and SIEM brute-force alerts. RDP/WinRM logon issues may be secondary effects. Treat identity source containment as highest priority.

Related tutorial: View the step-by-step tutorial for Windows Server 2025.

View all Windows Server 2025 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft identity hardening and DC performance troubleshooting references should be included in tier-0 operations playbooks. Internal SOC runbooks should define thresholds and escalation paths for auth storms.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.