Update deploy-pam-with-windows-server-2016.md

MIMDocs/pam/deploy-pam-with-windows-server-2016.md

@@ -69,6 +69,11 @@ Perform the install as described in the [Getting started guide](privileged-ident
   -   After configuring delegation, and before restarting the server, enable the Privileged Access Management features in Windows Server 2016 Active Directory by launching a PowerShell window as administrator and typing the following commands.
 
 
+[!NOTE]
+In Windows Server 2016 through 2025, enabling the Privileged Access Management feature incurs some additional CPU overhead on the domain controllers in the forest where the feature is enabled. For most workloads in most environments, this CPU overhead is typically less than 2%. However, group member enumeration of very large security groups (for example, groups with more than 10,000 members) can becoming singifcantly (2x-3x) more expensive. For example, enumerating the group members of a security group with 20,000 members may take 200 milliseconds before enabling the PAM feature, and 400 milliseconds after enabling the PAM feature. These numbers are only an example and will vary based on multiple factors such as the domain controller's hardware, size of the security group, etc.
+
+
+
   ```
   $of = get-ADOptionalFeature -filter "name -eq 'privileged access management feature'"
   Enable-ADOptionalFeature $of -scope ForestOrConfigurationSet -target "priv.contoso.local"