Steve Chen [MSFT] Sr. Support Escalation Engineer

...about SharePoint mysteries and related

poor performance on people picker search in SPS2010

poor performance on people picker search in SPS2010

  • Comments 4
  • Likes

Today, I’d like to post about a behavior in SharePoint that has a dramatically impact on performance!

Consider this scenario:

You go to the people picker to search for let’s say:  “User42”. You wait for about more than 3.5 min. until the results are displayed.
You’d now check if there is a general problem and trying it again with a simple repro on the file system as follows

- chose any folder on your hard disk, right-click and chose “properties”.
- “add” the wanted User as you would like to do it on granting permissions to this folder.
- Note, that this is taking less than a second(!)  to resolve and adding the named User, how this?

So on setting the ULS logging to “verbose” level and retry the peoplepicker search, we will find some interesting hints like this in our logs:

[…]
01.31.2011 15:50:13.98    w3wp.exe (0x1010)    0x163C    SharePoint Foundation    Performance    ftq2    Verbose    SearchFromGC name = corp.lan. returned. Result count = 0    21e10f56-2f45-4a29-a53c-4fda5da9f117
01.31.2011 15:50:13.98    w3wp.exe (0x1010)    0x163C    SharePoint Foundation    Performance    ftq1    Verbose    SearchFromGC name = contoso.com. start    21e10f56-2f45-4a29-a53c-4fda5da9f117
01.31.2011 15:50:30.12    w3wp.exe (0x1010)    0x163C    SharePoint Foundation    Performance    ftq3    Verbose    SearchFromGC name = contoso.com. Error Message: A local error has occurred.    21e10f56-2f45-4a29-a53c-4fda5da9f117
01.31.2011 15:50:30.12    w3wp.exe (0x1010)    0x163C    SharePoint Foundation    General    7fbh    Verbose    Exception when search "user42" from domain "contoso.com". Exception: "A local error has occurred.  ", StackTrace: "   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)     at  […]

01.31.2011 15:50:30.12    w3wp.exe (0x1010)    0x163C    SharePoint Foundation    General    72e7    Medium    Error in searching user 'user42' : System.DirectoryServices.DirectoryServicesCOMException (0x8007203B): A local error has occurred.       at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)     at  […]

01.31.2011 15:50:30.12    w3wp.exe (0x1010)    0x163C    SharePoint Foundation    Performance    ftq1    Verbose    SearchFromGC name = de-corpx.com. start    21e10f56-2f45-4a29-a53c-4fda5da9f117
01.31.2011 15:51:12.95    w3wp.exe (0x1010)    0x163C    SharePoint Foundation    Performance    ftq3    Verbose    SearchFromGC name = de-corpx.com. Error Message: The server is not operational.    21e10f56-2f45-4a29-a53c-4fda5da9f117
01.31.2011 15:51:12.95    w3wp.exe (0x1010)    0x163C    SharePoint Foundation    General    7fbh    Verbose    Exception when search "user42" from domain "de-corpx.com". Exception: "The server is not operational.  ", StackTrace: "   at […]

01.31.2011 15:51:12.95    w3wp.exe (0x1010)    0x163C    SharePoint Foundation    General    72e7    Medium    Error in searching user 'user42' : System.Runtime.InteropServices.COMException (0x8007203A): The server is not operational.       at  […]

01.31.2011 15:51:13.08    w3wp.exe (0x1010)    0x163C    SharePoint Foundation    Performance    ftq2    Verbose    SearchFromGC name = my-group.biz. returned. Result count = 0    21e10f56-2f45-4a29-a53c-4fda5da9f117
01.31.2011 15:51:13.08    w3wp.exe (0x1010)    0x163C    SharePoint Foundation    Performance    ftq1    Verbose    SearchFromGC name = org-it.biz. start    21e10f56-2f45-4a29-a53c-4fda5da9f117
01.31.2011 15:51:13.27    w3wp.exe (0x1010)    0x163C    SharePoint Foundation    Performance    ftq4    Verbose    GetAccountNameFromSid "0x0105000000000005150000008AA7323F23F3F66375B9755494000400" start    21e10f56-2f45-4a29-a53c-4fda5da9f117
01.31.2011 15:51:13.28    w3wp.exe (0x1010)    0x163C    SharePoint Foundation    Performance    ftq5    Verbose    GetAccountNameFromSid "0x0105000000000005150000008AA7323F23F3F66375B9755494000400" returned. returnValue=True    21e10f56-2f45-4a29-a53c-4fda5da9f117
01.31.2011 15:51:13.28    w3wp.exe (0x1010)    0x163C    SharePoint Foundation    Performance    ftq2    Verbose    SearchFromGC name = org-it.biz. returned. Result count = 1    21e10f56-2f45-4a29-a53c-4fda5da9f117
01.31.2011 15:51:13.28    w3wp.exe (0x1010)    0x163C    SharePoint Foundation    Performance    ftq1    Verbose    SearchFromGC name = xx-ext.biz. start    21e10f56-2f45-4a29-a53c-4fda5da9f117
01.31.2011 15:51:13.52    w3wp.exe (0x1010)    0x163C    SharePoint Foundation    Performance    ftq2    Verbose    SearchFromGC name = xx-ext.biz. returned. Result count = 0    21e10f56-2f45-4a29-a53c-4fda5da9f117
01.31.2011 15:51:13.52    w3wp.exe (0x1010)    0x163C    SharePoint Foundation    Performance    ftq1    Verbose    SearchFromGC name = ap-lan.biz. start   21e10f56-2f45-4a29-a53c-4fda5da9f117
01.31.2011 15:51:56.33    w3wp.exe (0x1010)    0x163C    SharePoint Foundation    Performance    ftq3    Verbose    SearchFromGC name = ap-lan.biz. Error Message: The server is not operational.    21e10f56-2f45-4a29-a53c-4fda5da9f117
01.31.2011 15:53:15.22    w3wp.exe (0x1010)    0x163C    SharePoint Foundation    General    72e7    Medium    Error in searching user 'user42' : System.Runtime.InteropServices.COMException (0x8007203A): The server is not operational.       at
[…]


CAUSE:

For any given search string, i.e. "User42" (which is NOT typed in as "Domain\username" or as UPN “user42@mydomain.com”) the Query fetches the account details (SearchFromGC) for the user.  

The GetAccountName() function is then used to convert the SID returned by the LDAP query.  
The GetAccountName() results in LSASS calling LsarLookupSids3 (when using People Picker) OR both LsaLookupNames4 + LsarLookupSids3 (when using "Check Names").

So we see that we do get the result back from LDAP with the result set and then we use that result set's SID to get the account name in the format DOMAIN\USERLOGIN. The LDAP resultset has this information in the LDAP format, but not in the expected format for SharePoint. This is why we call GetAccountName() to resolve the SID into the Account name.

This process takes a long time and impacts the performance for People Picker / CheckNames function as well as in addition waiting for each timeout on not reachable DC's.

So by using "Isolated Account Names" on peoplepicker search, performance decreases as the number of trusted domains increases…
See more on http://support.microsoft.com/kb/818024

 

RESOLUTION/WORKAROUND:

Use the stsadm commands for setting the properties to be limited on a particular Domain (where the user lives) and the specific Domain under your Forest on a multi trusted AD environment.

stsadm -o setproperty -url http://<WebAppName>  -pn peoplepicker-distributionlistsearchdomains -pv <domainname>

stsadm –o setproperty –pn peoplepicker-searchadforests –pv domain:<domainname> -url http://<WebAppName>

Note Note:

By default, SharePoint talks to the domain controller for the domain in which SharePoint was installed and all trusted domains for two-way trusted domains.

Remarks:

The above commands will enable a limited search against a dedicated domain where the wanted user account resides.  
So when having user accounts from other domains in addition, these domains must be also set according to the above command for each needed domain name.  
This setting is a per web application setting as defined by the -url parameter and must be also repeated for each web application further.  
So by design, SharePoint will behave as of the above description but on forcing only to use the pure ldap results and defining the requested domain explicitly,
we can significant increase the performance on people picker search results near to less than 2 seconds!

If you're having a "one-way-trust", then you need to run additionally this command first:
stsadm –o setapppassword -password <SomeKey>

see more details here: http://technet.microsoft.com/en-us/library/cc263460(office.12).aspx 

 

Resources:
People Picker Overview (2010)
Peoplepicker-distributionlistsearchdomains
Peoplepicker-searchadforests
Add users from multiple forest domains  
Select users from multiple forest domains 
"The Server Is Not Operational" Error Message in Active Directory

SharePoint 2010 PeoplePicker Not Finding Active Directory Users

All you want to know about People Picker in SharePoint ( Functionality | Configuration | Troubleshooting ) Part-1
All you want to know about People Picker in SharePoint ( Functionality | Configuration | Troubleshooting ) Part-2

 

Hope, that helps you if having this issue.

cheers, Steve

Comments
  • Hi Steve,

    is it possible that this settings take effect to the login process? Did Sharepoint looks at first in the Domain that you set via STSADM at the login process?

  • Hi Steve,

    is it possible that these settings will take effect to the login performance?

  • Hi Frank,

    I'm not sure about this, because usually SharePoint will only respect the filter once set by stsadm for the people picker and search functionality. The normal logon process should be determined as usual via validation against the first DC in the domain the sharepoint server exists.

    I'm not aware of any impact on logon caused by the filter settings but if Users are form another domain than this could be also caused by the same reason as described above (DC not reachable, firewalls dropping LDAP binds, etc.).

    Best way to investigate is taking a NetMon trace while logon and verbose logging turned on in SharePojnt, then verify the ULS log/Event log errors and the netmon traces for more informaiton.

    See also the links below "resources" to get more information regarding "multiple forest domains, etc."

    cheers, Steve

  • Hi Steve,

    We have discovered that in our multi-forest environment the number of domains specified in the peoplepicker-searchadforests property has a directly impact to the time it takes to create a standard sharepoint publishing site.

    This seems very strange but the impact is dramatic.

    The forest where our SP2010 farm sits has a dozen or so trusts. When we had not set the peoplepicker-searchadforests we saw that it was taking 2-3 minutes to create a pubishing site collection!

    After weeks of investigations we narrowed it down to peoplepicker-searchadforests

    by restricting the peoplepicker-searchadforests to search on only our domain the time to create dropped to 20 seconds!

    Insane, but true. Do you have any insights on this dependancy and relation?

    In reality our peoplepicker-searchadforests property is going to be set to search around a dozen geographically dispered domains. each domain adds 10-15 seconds to the site creation time

    Do let me know if there is more information on this strange but troubling issue

    regards,

    Amir Khan

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment