• Anonymous Jef Kazimer
    14 Sep 2006 7:48 AM

    By chance,  does the 1gb per process limit exist in the 64bit version of the os?

    We were discussing the max event log size today and I was curious if it still is an issue in 64bit os versions.

    more info here:  http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!699.entry

    Thanks,

    Jef

  • Anonymous AC
    15 Sep 2006 12:22 AM

    Brian,

    Nice info. Thanks for sharing.

    Can't you still provide the 5000-10K user answer by dividing the # of user / computer accounts or the # of authenticated operations over some unit of time by the # of available DC's?

    MSFT authenticates X # of security principals or Y # of authentications with 14 servers

    If you look only at user account authentication then that's 3500 users per DC.

    If you look @ user and computer account authentication then the ratio is more like 15K user / computer accounts per server where user to computer account ratio is 1:3.2.

    I would assume that the majority of desktop computers run 24x7 except for reboots from power outages and security fixes, with laptops generating more volume as reattach each day or wake from hibernate between meetings (the unlocking of a workstation generates a logon authentication)

    Very few companies will have 3.2 computer accounts per user.

    Focusing on authentcations per hour (especially at peak times), day or week will likely give a better result.

  • Brian Puhl Brian Puhl
    15 Sep 2006 1:16 PM

    Hi AC, thanks for reading my blog and posting the comments!

    There are numerous reasons why a "5000 - 10000" type answer isn't valid, but the by far the largest one is that it depends on how other things in the domain are configured.

    For example, we have IPSec deployed in all our forests for domain isolation.  Does this change the load profile on the DC's?  ABSOLUTELY!

    In fact, I'll even admit here, that our IPSec deployment actually caused some serious auth issues in the domain because we exceeded our capacity.  The only solution was to upgrade and add servers (we did both).

    So one day, we're cruising along with ~15 x86 "old" DC's...and the next day, we've got 20 DC's, half of which are x64.  Numbers of users, computers, even interactive logons, all stayed the same - but our Kerberos authentication's tripled due to the IPSec negotiations.

    Every environment is different.  How you configure your servers is different.  What kind of load you have on your servers will be different, so no, I can't really provide a generic answer for you...

    "So Brian - If everything is 'different' like you say, then why give any advice at all?"

    Because somebody, somewhere, is sitting at their desk, in front of a blank whiteboard, with the most unusual IT problem of all - They've actually GOT budget, but have ABSOLUTELY NO IDEA WHATSOEVER what to spend it on...  My numbers will at least help you determine if you need 2, 10, 20, 100 or 200 DC's...

    well...at least that's what I hope.

    ~Brian

  • Anonymous Anonymous
    8 Feb 2007 8:43 PM

    I see this questions come up quite a bit about the interoperability of x86 and x64 domain controllers.

  • Anonymous Max
    10 Aug 2007 9:59 PM

    Hello,

    I am in search of guidelines for my staff on how to load the entire Active data base in RAM. We are dealing with 1.5 Million users and need the faster speed of authentications. Also for wireless devices.

    Any asisstance is greatly appreciated.

  • Anonymous Rhea
    11 Dec 2007 10:21 AM

    [...]OH COOL! :) thanks! :), i like the offer, but if u want to see the new projection screen in affordable price then here is the link:

    http://www.electronicwhiteboardswarehouse.com/

    [ ..]

  • Anonymous Anonymous
    31 Jan 2008 11:56 AM

    PingBack from http://jeftek.wordpress.com/2006/09/13/64bit-domain-controllers-and-event-log-max-sizing/

  • Anonymous zxevil135
    1 Mar 2008 2:00 AM

    Udai5g r u crazzy? I told u! I can't read!

  • Anonymous zxevil136
    2 Mar 2008 12:31 AM

    PYO3G0 r u crazzy? I told u! I can't read!

  • Anonymous zxevil134
    7 Mar 2008 2:07 AM

    TOxHuW r u crazzy? I told u! I can't read, man!

  • Anonymous zxevil141
    7 Mar 2008 5:12 AM

    CtEZd0 r u crazzy? I told u! I can't read!

  • Anonymous zxevil150
    7 Mar 2008 10:57 PM

    MgY4lY r u crazzy? I told u! I can't read!

  • Anonymous zxevil151
    8 Mar 2008 1:56 AM

    EFn4x7 r u crazzy? I told u! I can't read!

  • Anonymous zxevil152
    8 Mar 2008 5:15 AM

    ruz4u0 r u crazzy? I told u! I can't read!

  • Anonymous zxevil153
    8 Mar 2008 8:20 AM

    H9fViN r u crazzy? I told u! I can't read!

>