Memory usage by the Lsass.exe process on domain controllers that are running Windows Server 2003 or Windows 2000 Server


This article describes some Lsass.exe process basics, best practices for the configuration of the Lsass.exe process, and expectations of memory usage. This article should be used as a guide in the analysis of Lsass.exe performance and memory use on domain controllers that are running Microsoft Microsoft Windows Server 2003 or Microsoft Windows 2000 Server. The information in this article may be useful if you have questions about how to tune and configure servers and domain controllers to optimize this engine.

The Lsass.exe process is responsible for management of local security authority domain authentication and Active Directory management. This process handles authentication for both the client and the server, and it also governs the Active Directory engine. The Lsass.exe process is responsible for the following components:
  • Local Security Authority
  • Net Logon service
  • Security Accounts Manager service
  • LSA Server service
  • Secure Sockets Layer (SSL)
  • Kerberos v5 authentication protocol
  • NTLM authentication protocol

More Information

Limit or minimize the number of programs on your domain controller

For optimum performance, the Lsass.exe process takes as much RAM as possible on a given server or domain controller. The Lsass.exe process relinquishes that RAM as other processes ask for it. The idea is to optimize performance of the Lsass.exe process while still accounting for other processes that might run on a computer. Because of this and to increase performance, it is a good practice to limit or minimize the number of programs on a domain controller. If there are no memory requests, the Lsass.exe process uses this memory to cache queried data.

Use the Active Directory Sizer (Adsizer.exe) and ADTEST tools

You can use the Adsizer.exe tool to gauge the amount of memory that is needed for domain controllers based on their function. You can only use this test as an estimate because Adsizer.exe cannot predict exactly how much memory will be necessary for all processes. You can use the ADTEST tool to stress the domain controllers and provide an expected memory usage baseline and memory load.

32-bit addressing space is limited to 4 gigabytes (GB)

The 32-bit addressing space is limited to 4 GB of physical memory.

Use counters to monitor Lsass.exe usage

You can use the job object, processor usage (80% Processor usage as a stress mark), adperf, and cop processes performance tools to monitor Lsass.exe usage. The counters of interest are Memory, Process, NTDS Object, Cache, Server, Processor, Threads, and Database.

Use Windows Server 2003 or Windows 2000 Server

If you plan to use more than 1 GB of physical memory on the domain controller, use Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; Windows 2000 Advanced Server; or Windows 2000 Datacenter Server. You can use the /3GB switch in the %SystemDrive%\Boot.ini file on these versions of Windows to provide an additional 1 GB of addressable memory. However, if you use this switch with Windows 2000 Server, this memory space is marked as unavailable.

Caution Microsoft supports using the /3GB switch in Windows Server 2003, Standard Edition in a production environment for use by Active Directory. For other applications, Microsoft supports using the /3GB switch in Windows Server 2003, Standard Edition in a production environment only if the application vendor has tested in this environment and if the vendor is willing to support the customer who is using this functionality. Microsoft Exchange Server 2003 and Microsoft SQL Server 2000 are supported in production using this functionality. Contact your application vendor regarding their application. The /3GB switch can cause some applications to have problems that are related to address dependencies or to a reduction in kernel space. Except in the cases described earlier, the /3GB switch in Windows Server 2003, Standard Edition is only for development and testing purposes.

  • We recommend that the /3GB switch be used with caution because it limits page table entries (PTEs).
  • The /3GB switch is needed only in 32-bit architecture. It is not needed in 64-bit architecture.
For more information about memory configuration tuning, click the following article number to view the article in the Microsoft Knowledge Base:

291988 A description of the 4 GB RAM Tuning feature and the Physical Address Extension parameter

Memory information

Lsass memory usage on domain controllers has two major components: one fixed and one variable.

The fixed component is made up of the code, the stacks, the heaps, and various fixed size data structures (for example, the schema cache). The amount of memory that Lsass uses may vary, depending on the load on the computer. As the number of running threads increases, so does the number of memory stacks. Lsass.exe usually uses 100 MB to 300 MB of memory. Lsass.exe uses the same amount of memory no matter how much RAM is installed in the computer. However, when a larger amount of RAM is installed, Lsass can use more RAM and less virtual memory.

The variable component is the database buffer cache. The size of the cache can range from less than 1 MB to the size of the entire database. Because a larger cache improves performance, the database engine for AD (ESENT) attempts to keep the cache as large as possible. While the size of the cache varies with memory pressure in the computer, the maximum size of the cache is limited by both the amount of physical RAM installed in the computer and by the amount of available virtual address space (VA). AD uses only a portion of total VA space for the cache. The maximum amount of VA space that AD can use is determined by the following formula:
((totalVA - 1GB) / 2)
Note This formula only applies to Windows 2000. In Windows Server 2003, the memory model for LSASS is different and the amount of memory that is used by the cache is dynamic. Memory usage has grown as large as 2.6 GB, but this is based on the assumption that other processes in LSASS do not need the memory.

This means that on an x86 machine without the /3GB switch, the cache size is limited either to 512 MB or to the amount of physical RAM, whichever is smaller. With the /3GB switch, the cache size is limited to either 1 GB or to the amount of physical RAM, whichever is smaller. Note that this means that the /3GB switch begins to help as soon as the amount of physical RAM is greater than approximately 600MB (500 MB for the cache, plus approximately 100 MB for the fixed component). On 64-bit systems, such as the IA64, cache size is effectively limited only by RAM, and Microsoft Development has test systems with over 9GB of cache in use.

Note Because of the way that the database caching algorithm works, on a 64-bit system on which the database size is smaller than the available RAM, the database cache can grow larger than the database size by 30 to 40 percent.

Memory usage increases with Active Directory use

The amount of memory that the Lsass.exe process uses increases in accordance with Active Directory usage. When data is queried, it is cached in memory.

Additional information about tuning domain controllers

LDAP query policies

271088 Optimizing Windows 2000 Active Directory servers with six or eight processors to run with Exchange 2000

Disable AutoSiteCoverage

See the Windows 2000 Resource Kit.

Limiting KCC process

244368 How to optimize Active Directory replication in a large network