JSI Tip 6397. High CPU and memory utilization when you add objects to or remove objects from the Active Directory?

NOTE: The text in the following Microsoft Knowledge Base article is provided so that the site search can find this page. Please click the Knowledge Base link to insure that you are reading the most current information.

Microsoft Knowledge Base article Q315697 contains:


When your server re-creates or imports objects into the Active Directory, you may experience the following symptoms:
  • The CPU utilization is higher than you expect during the operation. If there are a lot of objects, the CPU utilization may remain at 100 percent for the duration of the operation.
  • The Lsass.exe process may use more memory than you expect.
  • The Lsass.exe memory utilization may not decrease after the operation is complete.


This behavior occurs because the creation of Active Directory objects is a pre-emptive operation. This means that the process takes any available CPU cycles to allocate more threads for creation of new objects. Additionally, Lsass.exe consumes any available RAM on the server, and retains these resources after the operation is completed to be able to respond to incoming queries as efficiently as possible. If memory is required for other processes, the Lsass.exe caches decrease and memory is returned to the system.


This behavior is by design.


In the creation of these objects, the following procedures must occur for the object to be created:
  • Schema Integrity check
  • User rights of process-creating objects
  • Security inheritance applied to the object
  • Group membership checks
  • "Relative distinguished name" check
  • Disable Knowledge Consistency Checker (KCC) during object creation periods
  • Do not use Flexible Single Master Operations (FSMO) owner for object creation
Windows 2000 is designed to be able to create about 3,000 security principals, or 5,000 non-security principals per hour. Because of this, use a specific domain controller for imports and mass object creations. This domain controller should be a global catalog server with over 2 GB of memory for best LDAP search performance. The domain controller should also be isolated from common authentication traffic, LDAP query traffic, global catalog search traffic, and Key Distribution Center (KDC) traffic for best performance. Microsoft recommends that you follow these practices:
  • Do not use the domain controller or PDC emulator as a DNS server.
  • When you create a large number of sites and subnets, do so before the creation of servers and workstations.
  • Make changes on a domain controller in a hub site of a branch office deployment.
  • Run Offline Garbage Collection more frequently on the domain controller you designate for object creation.
  • Disable replication during object creation, both Active Directory Replication and FRS.
For additional information about related topics, click the following article numbers to view the articles in the Microsoft Knowledge Base:

214677 Automatic Detection of Site Membership for Domain Controllers

260857 DFS Site information not updated when W2K servers move AD sites

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.