Tips for Windows domain controller optimization

Learn to use Performance Monitor counters in Windows to optimize domain controllers for maximum system and database performance.

There are many different techniques for optimizing servers. To most Windows administrators, optimization means using the Performance Monitor to find out where a system's bottlenecks are, and then working to remove the cause of those bottlenecks. This is such a common optimization technique that Microsoft includes it as a part of many of its Windows certification classes. If you have ever attended any of these classes or read the various...

certification guidebooks, then you know that there are some very specific counters that Microsoft recommends monitoring.

I don't deny the importance of the more commonly used counters. In fact, they work really well. The problem is that although you can learn a lot about a system by monitoring the most basic counters, not all servers are created equally. Depending on a server's role, it may use some resources more heavily than others. Therefore, unless you know which resources a server is really depending on, you will never be able to fully optimize the system.

Microsoft has created Performance Monitor counters that are specific to some server roles. This is particularly true for Windows domain controllers. Let's take a look at some of those counters that I've found to be the most helpful.


The majority of Windows networks contain multiple domain controllers, and updates to the Active Directory database must be replicated to each DC. Since the replication process plays such an important role in keeping domain controllers up to date, I tend to think that the replication-related counters are probably the most important ones to monitor. The table below lists some of the more helpful replication-related counters.

Performance Object Counter What It Does Why It's Important
Directory Services DRA (directory replication agent) Inbound Full Sync Objects Remaining This counter displays the number of items that must be synchronized before the synchronization is considered complete. You can watch how fast this counter decrements to get a feel for how quickly synchronizations are occurring.
Directory Services DRA Remaining Replication Updates This counter lists the number of directory objects that have been received, but have not yet been applied. Consistently high numbers typically indicate poor database performance.
Directory Services DRA Pending Replication Synchronizations This counter reflects the number of replication synchronizations that have been queued but not processed. Non-zero values indicate a replication backlog. Occasional backlogs are normal, but the backlog should disappear quickly.


One of a domain controller's primary jobs is to authenticate users when they attempt to log into a domain. Unfortunately, Windows does not provide a lot of authentication-specific counters, but the table below gives details for two important ones.

Performance Object Counter What It Does Why It's Important
Security Systemwide Statistics Kerberos Authentications / Sec Displays the number of Kerberos authentications occurring each second. In large organizations, you might try running this counter on Monday morning as everyone is logging in to see how well the server keeps up with authentication requests.
Security Systemwide Statistics NTLM Authentications / Sec Displays the number of NTLM authentications occurring each second. In large organizations, you might try running this counter on Monday morning as everyone is logging in to see how well the server keeps up with authentication.

Database performance

It might seem odd to talk about database performance in an article on domain controller optimization, but if you stop and think about it, Active Directory is really just a big database that is available to clients by way of LDAP queries. If the database does not perform well, then you can't expect the domain controller to perform well either. The table below lists some of the more important database-related performance monitor counters.

Performance Object Counter What It Does Why It's Important
Database Database Cache % Hit / Sec This counter shows the percentage of requests that were fulfilled by the database cache. Caching database pages improves database performance. If the cache hit rate is less than 85%, it usually indicates that your server needs more memory.
Database Database Cache Page Fault Stalls / Sec This counter indicates the number of page faults occurring each second. Page faults displayed by this counter occur because there are no pages available for allocation in the database cache. Occasional page faults are normal, but consistently high numbers indicate that the database could benefit from additional memory.

Unfortunately, it is impossible to thoroughly discuss the topic of domain controller optimization within the confines of one article. However, these Performance Monitor counters will give you a better idea of why your domain controller is performing the way it is.

Brien M. Posey, MCSE, has received Microsoft's Most Valuable Professional Award four times for his work with Windows Server, IIS and Exchange Server. He has served as CIO for a nationwide chain of hospitals and healthcare facilities, and was once a network administrator for Fort Knox. You can visit his personal Web site at

This was first published in July 2008

