Tuning Windows 2012 – Active Directory – Part 2


If your Active Directory domain controller doesn’t just seem to perform as expected, you can use several resources to conduct a performance diagnosis.  You can use the following Reliability and Performance Monitor (Perfmon) counters to track and analyze a domain controller’s performance:


If you notice slow write or read operations, check the following disk I/O counters under the Physical Disk category to see if many queued disk operations exist:


  • Avg. Disk Queue Length
  • Avg. Disk Read Queue Length
  • Avg. Disk Write Queue Length




If lsass.exe uses excessive physical memory, check the following Database counters under the Database category to see how much memory is used to cache the database for Active Directory Domain Services. These counters are located under the lsass.exe instance, whereas for Active Directory Lightweight Directory Services they are located under the Directory instance:


  • Database Cache % Hit
  • Database Cache Size (MB)


If Isass.exe uses excessive CPU, check Directory Services\ATQ Outstanding Queued Requests on the Directory Services tab to see how many requests are queued at the domain controller. A high level of queuing indicates that requests are arriving at the domain controller faster than they can be processed. This can also lead to a high latency in responding to requests.


You can also use the Data Collector Sets tool to see the activity inside the domain controller. On a server that is running Active Directory Domain Services or Active Directory Lightweight Directory Services, you can find the collector template in Reliability and Performance Monitor under Reliability and Performance > Data Collector Sets > System > Active Directory Diagnostics.


The Reliability and Performance Monitor tool collects data for five minutes and stores a report under Reliability and Performance > Reports > System > Active Directory Diagnostics. This report contains information about CPU usage by different processes, Lightweight Directory Access Protocol (LDAP) operations, Directory Services operations, Kerberos Key Distribution Center operations, NT LAN Manager (NTLM) authentications, Local Security Authority (LSA) and Security Account Manager (SAM) operations, and averages of all the important performance counters.


This report identifies the workload that is being placed on the domain controller, identifies the contribution of aspects of that workload to the overall CPU usage, and locates the source of that workload, such as an application that is sending a high rate of requests to the domain controller. The CPU section of the report indicates whether lsass.exe is the process that is taking the highest CPU percentage. If any other process is taking more CPU on a domain controller, you should investigate it.