Brian Puhl's Weblog

These postings are provided "AS IS" with no warranties, and confer no rights...WHEW...glad we got that over with, let's get to the good stuff now...

Blogs

x64 Domain Controllers

  • Comments 17
  • Likes

Had an e-mail thread with Joe recently, which also resulted in this blog entry.  He's a consultant for another big tech company, and was working with a customer that was migrating a lot of non-domain joined machines to AD as well as deploying other AD aware applications.  The net result though, is that he was in the unenviable position of having no performance baseline to go off of, and a bunch of customers asking how many 64-bit domain controllers they needed to buy.  And therein lies the problem, there just aren't that many 64-bit DC's deployed out there (yet), so if you're starting from scratch, where do you start?

Well, to make a long story short (too late), a few e-mail back and forth later and I fired off some of the stats that we use internally here at Microsoft.  In the spirit of copy/paste, here's the mail I sent (slightly edited to protect the innocent), if you don't have anything else to go on or just want some general reference...then you can use this.

REMEMBER - "IT DEPENDS" and "YOUR MILEAGE WILL VARY"

________________________________________
From: Brian Puhl [mailto:Brian.Puhl@microsoft.com]
Sent: Wednesday, September 06, 2006 6:11 PM
To: Joe
Subject: RE: Ping...

Well, like you said, “it depends” and “your mileage WILL vary.” 

It’s tough, because we don’t plan based on numbers of users, workstations, or anything like that…  We base capacity on performance trends, which I realize is ultimately where you’re trying to get <customer> to…  So instead, here are some details from our Redmond domain.  These are live numbers, which you can use to approximate.  Remember that MS is probably a higher utilization environment than <customer>, so you can use these to build a deployment plan with the expectation that you could end up slightly over capacity. 

Domain Details:
   99%+ of the users are in a single AD site, so assume that this is all for a single site.
   49K user accounts (includes service accounts, etc…)
   160K computer accounts 
   17 DC’s for authentication load, app’s – everything but exchange
   5 DC’s in a separate dedicated Exchange site, shielded from auth load

Typical auth DC spec
   HP DL585
   4 x 2.2GHz AMD64
   16GB RAM (12 GB dit file)
   2 or 4 spindles (0+1) for OS and logs
   6 spindles (0+1) for dit, backup, and sysvol
           
Typical load profile (randomly picked a DC and pulled open perfmon while I’m typing this mail) – see note below
   Ave CPU – 55% 
   Ave Disk Queue – 0.1

   Server Sessions – 585
   NTLM Auths – 215
   Kerb Auths – 92
   DS Client Binds/Sec – 44

   Gigabit NIC card
   NIC Output Queue – 0

Major thing to note about the perf data – We’ve got 3 DC’s offline at the moment due to dogfooding, so this perf load would be with 14 DC’s online.  Our target utilization is 20-40% sustained peak CPU.

Also, based on our experience, we’re rarely NIC bound.  When we see overloaded DC’s, they typically tend to be disk bound or processor bound.  Even when we had x86 with 4GB of RAM, the memory pressure just translated into disk queues, so when you’re spec’ing out your servers I would be least concerned about the connectivity.  You probably also noticed in the whitepaper that x64 doesn’t give you a whole lot of benefit in a pure auth environment.  These operations tend to be disk bound even in a 64-bit OS.

I think you’re hoping for a “5000-10000 user” type answer, but even if I gave you a completely wild guess, It would probably do more harm than good in your conversations with the customer.

Does this give you a better idea?  Are there other details that would help you make a better guess? 

The whitepaper that I referred to is the Active Directory 64-bit Performance Comparison paper, located here.

Comments
  • By chance,  does the 1gb per process limit exist in the 64bit version of the os?

    We were discussing the max event log size today and I was curious if it still is an issue in 64bit os versions.

    more info here:  http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!699.entry

    Thanks,

    Jef

  • Brian,

    Nice info. Thanks for sharing.

    Can't you still provide the 5000-10K user answer by dividing the # of user / computer accounts or the # of authenticated operations over some unit of time by the # of available DC's?

    MSFT authenticates X # of security principals or Y # of authentications with 14 servers

    If you look only at user account authentication then that's 3500 users per DC.

    If you look @ user and computer account authentication then the ratio is more like 15K user / computer accounts per server where user to computer account ratio is 1:3.2.

    I would assume that the majority of desktop computers run 24x7 except for reboots from power outages and security fixes, with laptops generating more volume as reattach each day or wake from hibernate between meetings (the unlocking of a workstation generates a logon authentication)

    Very few companies will have 3.2 computer accounts per user.

    Focusing on authentcations per hour (especially at peak times), day or week will likely give a better result.

  • Hi AC, thanks for reading my blog and posting the comments!

    There are numerous reasons why a "5000 - 10000" type answer isn't valid, but the by far the largest one is that it depends on how other things in the domain are configured.

    For example, we have IPSec deployed in all our forests for domain isolation.  Does this change the load profile on the DC's?  ABSOLUTELY!

    In fact, I'll even admit here, that our IPSec deployment actually caused some serious auth issues in the domain because we exceeded our capacity.  The only solution was to upgrade and add servers (we did both).

    So one day, we're cruising along with ~15 x86 "old" DC's...and the next day, we've got 20 DC's, half of which are x64.  Numbers of users, computers, even interactive logons, all stayed the same - but our Kerberos authentication's tripled due to the IPSec negotiations.

    Every environment is different.  How you configure your servers is different.  What kind of load you have on your servers will be different, so no, I can't really provide a generic answer for you...

    "So Brian - If everything is 'different' like you say, then why give any advice at all?"

    Because somebody, somewhere, is sitting at their desk, in front of a blank whiteboard, with the most unusual IT problem of all - They've actually GOT budget, but have ABSOLUTELY NO IDEA WHATSOEVER what to spend it on...  My numbers will at least help you determine if you need 2, 10, 20, 100 or 200 DC's...

    well...at least that's what I hope.

    ~Brian

  • I see this questions come up quite a bit about the interoperability of x86 and x64 domain controllers.

  • Hello,

    I am in search of guidelines for my staff on how to load the entire Active data base in RAM. We are dealing with 1.5 Million users and need the faster speed of authentications. Also for wireless devices.

    Any asisstance is greatly appreciated.

  • [...]OH COOL! :) thanks! :), i like the offer, but if u want to see the new projection screen in affordable price then here is the link:

    http://www.electronicwhiteboardswarehouse.com/

    [ ..]

  • PingBack from http://jeftek.wordpress.com/2006/09/13/64bit-domain-controllers-and-event-log-max-sizing/

  • Udai5g r u crazzy? I told u! I can't read!

  • PYO3G0 r u crazzy? I told u! I can't read!

  • TOxHuW r u crazzy? I told u! I can't read, man!

  • CtEZd0 r u crazzy? I told u! I can't read!

  • MgY4lY r u crazzy? I told u! I can't read!

  • EFn4x7 r u crazzy? I told u! I can't read!

  • ruz4u0 r u crazzy? I told u! I can't read!

  • H9fViN r u crazzy? I told u! I can't read!