Shulou(Shulou.com)06/01 Report--

In order to solve the problem of how to estimate the size of AD domain controller in Windows, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

Since the launch of Windows 2000, managers and designers have been trying to figure out how to measure domain controllers. Measuring a server usually involves the number of processors, physical memory, disk space, and applications that can run on the server.

Recommended reading: listen to experts talk about Windows active Directory

The difficulty in measuring domain controllers (DC) is that the load is too variable. Domain controllers handle authentication through the Lsass.exe process, which has many functions. In addition, processor resources are consumed by Ntds.dit database operations in a non-linear manner. Therefore, the load of the domain controller can be variable for the following reasons:

The number of authenticated clients is unpredictable because multiple domain controllers share the load used for clients to enter and exit the site.

Applications that perform authentication and lightweight Directory access Protocol (LDAP) queries place an additional burden on domain controllers.

Authentication and access to Windows resources through non-Windows clients increase the load on domain controllers due to lightweight directory access protocol queries.

Invalid lightweight directory access protocol queries can cause unpredictable load on domain controllers.

Active catalog analysis and monitoring tools create additional load on domain controllers.

Although these factors make the estimation of domain controller more challenging, it is still feasible. The key is to measure actual performance and determine the load and required resources.

I have worked with many administrators whose domain controllers are not up to the task of handling their business. However, by using some fairly simple Perfmon performance monitoring analysis, I was able to reduce the pressure on the domain controller to affect login performance. In this way, I can determine its size instead.

Lsass.exe application

Lsass.exe is a key factor in resolving domain controller performance issues in Windows 2008 and 2008 R2, and it is responsible for all authentication activities on domain controllers. To solve performance problems, Lsass.exe takes up CPU and memory resources and leaves a detailed memory footprint. The ultimate goal here is to get enough random access memory to put Ntds.dit files in memory and still serve lightweight directory access protocol queries.

First, to determine how much memory is required, it is important to ensure that all domain controllers are installed on x64 servers. If it is less than this number, Lsass.exe will not be able to get the memory it needs.

To determine the memory size, the first step is to calculate the size of the Ntds.dit file and add 20%, followed by Perfmon performance monitoring analysis. To do this, simply look at the Ntds.dit file size in the% systemroot%\ windows\ ntds directory and look at the task manager to see the memory usage of Lsass.exe. Note that the size of the Ntds.dit file is the same on each domain controller, but the lightweight directory access protocol load may vary from site to site.

Processor estimation

The active Directory processor is also important for calculating the memory size of the domain controller, which is linked to the AD Jet database session operation. Windows Server 2008 R2 actually has a registry key to control these sessions, but they need to be managed carefully. The more processors you mix, the more Jet database sessions are available. However, exhaustion of Jet sessions can cause many problems that indicate that AD is out of resources. To avoid this, start with at least four processors.

Disk space

Disk space is fairly simple to manage, and it follows common disk performance rules. Remember to use a high-performance disk and put the logs and SYSVOL folders on a disk (spindle) separated from the Ntds.dit file. The size of the Ntds.dit file and SYSVOL folder will play an important role in disk space unless there are other applications running on the domain controller.

Performance analysis.

By running performance monitoring analysis, administrators can determine the load on memory, processors, and disk space, as well as the performance of existing domain controllers, which is better on x64 platforms. Use only standard counters (memory, processors, disks, networks, etc.), but adding NTDS counters and Lsass.exe process counters minimizes the impact on domain controller performance. Run it for at least 48 hours to capture peak and off-peak activity for two days.

Once the analysis is complete, then measure the Lsass.exe process counters and look for persistent, persistent CPU and memory utilization. Compare this utilization with available memory to determine if memory usage matches Lsass.exe. Figure 1 shows the increase in available memory in the morning hours, with a spike in lightweight directory access protocol binding time.

Figure 1: available memory

Figure 2: lightweight Directory access Protocol binding time

According to Perfmon performance monitoring analysis, the spike in LDAP binding time is not related to the reduction of available memory. Therefore, data needs to be captured over a long period of time.

Note: for LDAP binding time, look for consecutive periods above 15ms. PAL will mark the level of warnings and errors.

This is the answer to the question about how to estimate the size of AD domain controller in Windows. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.