Today, I’d like to post about a behavior in SharePoint that has a dramatically impact on performance!
Consider this scenario:
You go to the people picker to search for let’s say: “User42”. You wait for about more than 3.5 min. until the results are displayed.
You’d now check if there is a general problem and trying it again with a simple repro on the file system as follows
- chose any folder on your hard disk, right-click and chose “properties”.
- “add” the wanted User as you would like to do it on granting permissions to this folder.
- Note, that this is taking less than a second(!) to resolve and adding the named User, how this?
So on setting the ULS logging to “verbose” level and retry the peoplepicker search, we will find some interesting hints like this in our logs:
For any given search string, i.e. "User42" (which is NOT typed in as "Domainusername" or as UPN “firstname.lastname@example.org”) the Query fetches the account details (SearchFromGC) for the user.
The GetAccountName() function is then used to convert the SID returned by the LDAP query.
The GetAccountName() results in LSASS calling LsarLookupSids3 (when using People Picker) OR both LsaLookupNames4 + LsarLookupSids3 (when using "Check Names").
So we see that we do get the result back from LDAP with the result set and then we use that result set's SID to get the account name in the format DOMAINUSERLOGIN. The LDAP resultset has this information in the LDAP format, but not in the expected format for SharePoint. This is why we call GetAccountName() to resolve the SID into the Account name.
This process takes a long time and impacts the performance for People Picker / CheckNames function as well as in addition waiting for each timeout on not reachable DC's.
So by using "Isolated Account Names" on peoplepicker search, performance decreases as the number of trusted domains increases…
See more on http://support.microsoft.com/kb/818024
Use the stsadm commands for setting the properties to be limited on a particular Domain (where the user lives) and the specific Domain under your Forest on a multi trusted AD environment.
stsadm -o setproperty -url http://<WebAppName> -pn peoplepicker-distributionlistsearchdomains -pv <domainname>
stsadm –o setproperty –pn peoplepicker-searchadforests –pv domain:<domainname> -url http://<WebAppName>
By default, SharePoint talks to the domain controller for the domain in which SharePoint was installed and all trusted domains for two-way trusted domains.
The above commands will enable a limited search against a dedicated domain where the wanted user account resides.
So when having user accounts from other domains in addition, these domains must be also set according to the above command for each needed domain name.
This setting is a per web application setting as defined by the -url parameter and must be also repeated for each web application further.
So by design, SharePoint will behave as of the above description but on forcing only to use the pure ldap results and defining the requested domain explicitly,
we can significant increase the performance on people picker search results near to less than 2 seconds!
If you're having a "one-way-trust", then you need to run additionally this command first:
stsadm –o setapppassword -password <SomeKey>
see more details here: http://technet.microsoft.com/en-us/library/cc263460(office.12).aspx
People Picker Overview (2010)
Add users from multiple forest domains
Select users from multiple forest domains
"The Server Is Not Operational" Error Message in Active Directory
All you want to know about People Picker in SharePoint ( Functionality | Configuration | Troubleshooting ) Part-1
All you want to know about People Picker in SharePoint ( Functionality | Configuration | Troubleshooting ) Part-2
Hope, that helps you if having this issue.