Re: AD Limits

We have a web/sql/mail application that uses AD for authentication of
user accounts. Single domain, single OU. There are no other objects
that we use, no groups (other than built-in), no computers (other than
the servers running the app), no Exchange, etc. We are
rearchitecturing the application right now as we prepare for an
increase of users to several million.

Currently, once the user is authenticated during website logon, there
are no other security checks made against that account when accessing
resources, all resources are accessed by just a handful of service
accounts. One of the goals of the rearchitecture is to add that
security into the mix.

Some members of our team were under the impression that there are
limitations to the number of objects, specifically user accounts, that
can be efficiently held in an OU and in the forest. From what I've
read over the past few days, I understand that there are such
theoretical limitations but they are probably far beyond of what we'd
be using. Several sources quote very different numbers, though, so
I'm trying to make sure I have the correct information. For example,
I've ran across, from various reputable sources, including MS itself
and several books on the topic, as well as other experts' articles on
the web, object limitations of 1 million, 100 million, 1 billion and
now you with over 4 billion. I would be satisfied with any of these
numbers except the first one. Furthermore, I also need to examine
hardware requirements to handle these numbers, as I currently have
only two DC's with dual Xeon 3.2GHz, 1GB of RAM and 60GB of HD space
each. I have not been able to find much concrete information on this
subject either, perhaps looking in the wrong places?

Thanks for your time gents,
Peter.


On Mon, 23 Jan 2006 16:12:59 -0800, Peter Lecki <plecki2@xxxxxxxxxxxx>
wrote:

>I'm looking for detailed and authoritative information regarding
>limitations of AD, specifically, the number of user accounts per
>directory and also per OU.
>
>Thanks,
>Peter.

.

Relevant Pages

  • Re: AD Limits
    ... Single domain, single OU. ... > limitations to the number of objects, specifically user accounts, that ... > theoretical limitations but they are probably far beyond of what we'd ... need to be available for lookups, logon authentication because Universal ...
    (microsoft.public.windows.server.active_directory)
  • special security/session scenario
    ... user accounts to common user accounts is that, one or more users can share ... that the session problem. ... Form authentication: Instead of including a file in each asp page checking ... and the currentuser will decrease with one. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: MAC authorization
    ... >have user accounts with MAC addresses as user names. ... only local User Accounts. ... >for MAC address-based authentication, and enable PAP. ... >User-Name registry value to 1 on the IAS server ...
    (microsoft.public.internet.radius)
  • Re: Authenticate against all trusted domains... in IIS 6?
    ... The better solution is for users to authentication using user@domain or ... domain\user (because that's what their credentials really are). ... >> This functionality was removed because it caused problems in some cases ... >> where there were user accounts in multiple domains that had the same ...
    (microsoft.public.inetserver.iis.security)
  • Re: Users cannot authenticate over PPTP
    ... > This seems to be a common problem (please let it not be another ... > problem (nor is authentication through IIS), but the VPN server simply ... The user accounts are configured to ...
    (microsoft.public.isa.vpn)