Blogs

Active Directory Q&A

  • Comments 1
  • Likes

Hello,

Demorie here…I had another dream the other night about a celebrity.  Jack Nicholson and I were hanging out at a beach resort.  I was interviewing him on why I didn’t see him at the Oscars.  Was he there?  Where was he sitting?  He told me he was delegated to the balcony with the special effects crowd.  And I thought, “Jack?!?  Delegated to the balcony?  How could this be?”  

Then he raised his eyebrows, smirked and said, “You don’t think I’d settle for the balcony, do you?”  Of course not!  “I held a little soiree of my own…”

All of this Q&A got me thinking that not all presentations are what they seem, and sometimes it’s nice to have a little Q&A with the head honchos to know what’s really going on….

So, here is a follow-up to Ward’s post on the Active Directory x64 Streaming Blogcast.  These questions are from customers like you and the answers are straight from the head honchos.  Here's Ward's original post so you can go watch the Active Directory x64 Blogcast: x64 Streaming Blogcast - How to Maximize Active Directory Performance in the Enterprise 

And here is the Q&A...

Asked: Is there same functional level for 2003x64 AD domains and forests? Can we see advantages of 2003x64 with existing 32bit DCs?

Answered: There's no difference between 32bit and 64bit DC's from a forest level perspective. The same rules apply to both platforms, and they interop just fine with each other

 

Asked: Are there some advantages from using 2003x64 DC in 2003x32 domain&forest?

Answered: there's no difference between 32bit and 64bit DC's from an AD Domain or Forest level. The underlying platform (32bit vs 64bit) is completely separate from any AD specific technologies (forest\domain levels, replication, monitoring, etc)

 

Asked: So, only performance?

Answered: Yes, you can get better performance two ways. The first is improvements to the processor processing power itself; the second is the ability for the memory address space to scale IMMENSELY past the 32bit 4gb virtual address space. With 32bit architecture, you can only cache at MOST 2.6GB of your AD Database into memory. With 64bit DC's, you can store up to (theoretically) 14.9tb

 

Asked: How many users and computer accounts in Microsoft AD, which is the MS AD DB size? Are you using x64 DCs?

Answered: There's a few forests at Microsoft. The primary forest that has the largest domain contains ~110,000 computer accounts, and about ~60,000 user accounts. The DB size is approx 9.5GB. Yes, there are 64bit DC's. The primary reason is email since Microsoft sends upwards of 3 million email messages a day internally. The 64bit DC's (2) handle the bulk of the address book lookups

 

Asked: Which DB engine is used for AD now, and which is planned for future?

Answered: ESE (AKA JET) is the DB, which is the same as Exchange. The next version of server (longhorn) will also use JET for AD. Past that we (the AD product group) haven't made a decision. JET works well for our needs, so we would move only if there was a compelling reason (strategic or technical)

 

Asked: Are any LDAP performance benchmarks available for AD on a 64-bit platform?

Answered: Unfortunately no, and we need to soon

 

Asked: Keeping in mind x64...are there some reasons to move some data from AD to ADAM instance (currently we are putting all business applications to authorize against our network AD)

Answered: The decision of ADAM vs. AD shouldn't have anything to do with 64bit. The decision to move to ADAM for an application is generally made by implementation choices of how the data is managed. People deploy ADAM's because of things like Schema Bureaucracy in an organization, or because of autonomy and isolation requirements

 

Asked: I meant performance

Answered: what are the workload characteristics for your app? Is it LDAP heavy? Does it perform authentication? Reads vs. Writes?

 

Asked: More reads. We store user authorization information (rights) in distribution groups for all our UNIX apps

Answered: Not really, no. The bind path on ADAM is a bit different so it can be nominally faster depending on bind type, but no excessively faster in our testing.

 

Asked: Are those efficiency increases based on per year? Per product life cycle?

Answered: Some of them were based on per year and some were static responses.

 

Asked: Are there any VeriTest DirectoryMark Benchmark regardig x64 DC available?

Answered: Not yet. That's planned to be available prior to our launch.

 

Asked: Is there a list of 64bit business Apps?

Answered: Yes, a list is being built and will be posted on microsoft.com around launch time frame.  If you think your app should be part of this list, please email app64@microsoft.com. 

 

Asked: With big amounts of groups (10k-50k) - representing business applications rights - does AD DB size growth significantly?

Answered: I'm not sure I have enough data in the question to provide a qualified answer. Generally, no, not significantly more then any other object type. If it's Win2k03 and you're in Forest Functional mode, group membership is stored and replicated more efficiently. One of the gains too in FFM is also being able to scale past the 5000 direct group membership limitation.

 

PS – You know...I have no idea if Jack was present at the Oscars.  It’s just I didn’t see him in the front row as usual wearing his sunglasses. :-)
  • Microsoft has for some time given as a general rule of thumb the guideline that you should have 1 Global...