WinTasks Process Library
lsass - lsass.exe - Process Information
Process File: lsass or lsass.exe
Process Name: Local Security Authority Service
Description: Windows Local Security Authority Server Process handles Windows security mechanisms. It verifies the validity of user logons to your computer or server. Technically, the software generates the process that is responsible for authenticating users for the Winlogon service.
Company: Microsoft Corp.
System Process: Yes
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No
Common Errors: N/A
and qouting from
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q308356
Limit or Minimize the Number of Programs on Your Domain Controller
For optimum performance, the Lsass.exe process takes as much RAM as possible on a given server or domain controller. The Lsass.exe process relinquishes that RAM as other processes ask for it. The idea is to optimize performance of the Lsass.exe process while still accounting for other processes that might run on a computer. Because of this and to increase performance, it is a good practice to limit or minimize the number of programs on a domain controller. If there are no memory requests, the Lsass.exe process uses this memory to cache queried data.
Use the Active Directory Sizer (Adsizer.exe) and ADTEST Tools
You can use the Adsizer.exe tool to gauge the amount of memory that is needed for domain controllers based on their function. You can only use this test as an estimate because Adsizer.exe cannot predict exactly how much memory will be necessary for all processes. You can use the ADTEST tool to stress the domain controllers and provide an expected memory usage baseline and memory load.
32-Bit Addressing Space Is Limited to 4 Gigabytes (GB)
The 32-bit addressing space is limited to 4 GB of physical memory.
Use Counters to Monitor Lsass.exe Usage
You can use the job object, processor usage (80% Processor usage as a stress mark), adperf, and cop processes performance tools to monitor Lsass.exe usage. The counters of interest are Memory, Process, NTDS Object, Cache, Server, Processor, Threads, and Database.
Use Windows
If you plan to use more than 1 GB of physical memory on the domain controller, use Windows 2000 Advanced Server, Windows 2000 Datacenter Server, Windows Server 2003, Standard Edition, Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition. You can use the /3GB switch on these versions of Windows to provide an additional 1 GB of addressable memory. However, if you use this switch with Windows 2000 Server, this memory space is marked as unavailable.
Memory Information
Lsass memory usage on domain controllers has two major components: one fixed and one variable.
The fixed component is made up of the code, the stacks, the heaps, and various fixed size data structures (for example, the schema cache). The amount of memory that Lsass uses may vary, depending on the load on the computer. As the number of running threads increases, so does the number of memory stacks. Lsass.exe usually uses 100 MB to 300 MB of memory. Lsass.exe uses the same amount of memory no matter how much RAM is installed in the computer. However, when a larger amount of RAM is installed, Lsass can use more RAM and less virtual memory.
The variable component is the database buffer cache. The size of the cache can range from less than 1 MB to the size of the entire database. Because a larger cache improves performance, the database engine for AD (ESENT) attempts to keep the cache as large as possible. While the size of the cache varies with memory pressure in the computer, the maximum size of the cache is limited by both the amount of physical RAM installed in the computer and by the amount of available virtual address space (VA). AD uses only a portion of total VA space for the cache. The maximum amount of VA space that AD can use is determined by the following formula:
((totalVA - 1GB) / 2)
Note This formula only applies to Windows 2000. In Windows Server 2003, the memory model for LSASS is different and the amount of memory that is used by the cache is dynamic. Memory usage has grown as large as 2.6 GB, but this is based on the assumption that other processes in LSASS do not need the memory.
This means that on an x86 machine without the /3GB switch, the cache size is limited either to 512 MB or to the amount of physical RAM, whichever is smaller. With the /3GB switch, the cache size is limited to either 1 GB or to the amount of physical RAM, whichever is smaller. Note that this means that the /3GB switch begins to help as soon as the amount of physical RAM is greater than approximately 600MB (500 MB for the cache, plus approximately 100 MB for the fixed component). On 64-bit systems, such as the IA64, cache size is effectively limited only by RAM, and Microsoft Development has test systems with over 9GB of cache in use.
