MORE INFORMATION
Limit or minimize the number of programs on your domain controller
For optimum performance, the Lsass.exe process takes as much RAM
as possible on a given server or domain controller. The Lsass.exe process
relinquishes that RAM as other processes ask for it. The idea is to optimize
performance of the Lsass.exe process while still accounting for other processes
that might run on a computer. Because of this and to increase performance, it
is a good practice to limit or minimize the number of programs on a domain
controller. If there are no memory requests, the Lsass.exe process uses this
memory to cache queried data.
Use the Active Directory Sizer (Adsizer.exe) and ADTEST tools
You can use the Adsizer.exe tool to gauge the amount of memory
that is needed for domain controllers based on their function. You can only use
this test as an estimate because Adsizer.exe cannot predict exactly how much
memory will be necessary for all processes. You can use the ADTEST tool to
stress the domain controllers and provide an expected memory usage baseline and
memory load.
32-bit addressing space is limited to 4 gigabytes (GB)
The 32-bit addressing space is limited to 4 GB of physical
memory.
Use counters to monitor Lsass.exe usage
You can use the job object, processor usage (80% Processor usage
as a stress mark), adperf, and cop processes performance tools to monitor
Lsass.exe usage. The counters of interest are Memory, Process, NTDS Object,
Cache, Server, Processor, Threads, and Database.
Use Windows Server 2003 or Windows 2000 Server
If you plan to use more than 1 GB of physical memory on the domain controller, use Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; Windows 2000 Advanced Server; or Windows 2000 Datacenter Server. You can use the
/3GB switch in the %SystemDrive%\Boot.ini file on these versions of Windows to provide an additional 1 GB of addressable memory. However, if you use this switch with Windows 2000 Server, this memory space is marked as unavailable.
Caution Microsoft supports using the
/3GB switch in Windows Server 2003, Standard Edition in a production environment for use by Active Directory. For other applications, Microsoft supports using the
/3GB switch in Windows Server 2003, Standard Edition in a production environment only if the application vendor has tested in this environment and if the vendor is willing to support the customer who is using this functionality. Microsoft Exchange Server 2003 and Microsoft SQL Server 2000 are supported in production using this functionality. Contact your application vendor regarding their application. The
/3GB switch can cause some applications to have problems that are related to address dependencies or to a reduction in kernel space. Except in the cases described earlier, the
/3GB switch in Windows Server 2003, Standard Edition is only for development and testing purposes.
Notes- We recommend that the /3GB switch be used with caution because it limits page table entries (PTEs).
- The /3GB switch is needed only in 32-bit architecture. It is not needed in 64-bit architecture.
For more information about memory configuration tuning, click the following article number to view the article in the Microsoft Knowledge Base:
291988
A description of the 4 GB RAM tuning feature and the Physical Address Extension switch
Memory information
Lsass memory usage on domain controllers has two major
components: one fixed and one variable.
The fixed component is made
up of the code, the stacks, the heaps, and various fixed size data structures
(for example, the schema cache). The amount of memory that Lsass uses may vary,
depending on the load on the computer. As the number of running threads
increases, so does the number of memory stacks. Lsass.exe usually uses 100 MB
to 300 MB of memory. Lsass.exe uses the same amount of memory no matter how
much RAM is installed in the computer. However, when a larger amount of RAM is
installed, Lsass can use more RAM and less virtual memory.
The
variable component is the database buffer cache. The size of the cache can
range from less than 1 MB to the size of the entire database. Because a larger
cache improves performance, the database engine for AD (ESENT) attempts to keep
the cache as large as possible. While the size of the cache varies with memory
pressure in the computer, the maximum size of the cache is limited by both the
amount of physical RAM installed in the computer and by the amount of available
virtual address space (VA). AD uses only a portion of total VA space for the
cache. The maximum amount of VA space that AD can use is determined by the
following formula:
Note This formula only applies to Windows 2000. In Windows Server 2003, the memory model for LSASS is different and the amount of memory that is used by the cache is dynamic. Memory usage has grown as large as 2.6 GB, but this is based on the assumption that other processes in LSASS do not need the memory.
This means that on an x86 machine without the
/3GB switch, the cache size is limited either to 512 MB or to the
amount of physical RAM, whichever is smaller. With the
/3GB switch, the cache size is limited to either 1 GB or to the amount
of physical RAM, whichever is smaller. Note that this means that the
/3GB switch begins to help as soon as the amount of physical RAM is
greater than approximately 600MB (500 MB for the cache, plus approximately 100
MB for the fixed component). On 64-bit systems, such as the IA64, cache size is
effectively limited only by RAM, and Microsoft Development has test systems
with over 9GB of cache in use.
Memory usage increases with Active Directory use
The amount of memory that the Lsass.exe process uses increases in
accordance with Active Directory usage. When data is queried, it is cached in
memory.
Maximum physical memory usage by Lsass.exe process and Active Directory
The maximum physical memory usage by the Lsass.exe process and
Active Directory is 2 GB.
Additional information about tuning domain controllers
LDAP query policies
271088 Optimizing Windows 2000 Active Directory servers with six or eight processors to run with Exchange 2000
Disable AutoSiteCoverage
See the Windows 2000 Resource Kit.
Limiting KCC process
244368 How to optimize Active Directory replication in a large network