Re: Large numbers of Users in an OU
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Sat, 16 Dec 2006 16:49:15 -0500
Your CPU spike is likely from running ADUC on the DC, not the LDAP query itself. Really anyway, you should be doing management from outside of the DC and again once you start getting into environments larger than several thousand users, managing them with a GUI so you can "click on them" is extremely inefficient. This will become more obvious when Longhorn comes out and server core domain controllers start becoming popular due to their lightweight design and reduced surface area for security attacks/issues and a lot of folks who only know how to do AD Admin through the GUI from the DC have no clue how to manage their environments. It is a rare thing for me to logon onto a DC interactively let alone run one of the GUI admin tools on a DC interactively.
A single OU design is quite common in an environment that is handled through provisioning. You have no delegation needs to call for different OUs and then the only other reason is Group Policy, depending on how it is implemented you could do this with a single OU as well. Group filtering of GPOs for any size population is nothing, that processing occurs at the client, not the DC.
Perf hits for GPO's come in primarily from actually applying specific GPOs, not figuring out which GPOs apply. The former is done with a couple very lightweight LDAP calls, the latter requires SMB communications with is extremely heavy next to LDAP.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Marc wrote:
I currently have 70000 users in the forest with 7 domains...I am redesigning the forest to consolidate all domains with 1 empty root and one global domain. I went throught the excercise of placing all users in one OU vs dividing the OUs by continent and then by country....primarily so Group policies can be applied at the OU level if needed, and delegation.......Joe also logon to your windows 2003 DCs and click on the OU with 100000 users you will see a huge jump on CPU while it is querying the GC....I tested this on a few high powered Compaq proliants.....so yes there is a drawback although it is not documented..
Who would place 100000 users in 1 OU? you would then have ~15+ Group policies with security filtering enabled thus hindering logon performance.
"Joe Richards [MVP]" wrote:
Something else could be wrong, I regularly work with companies with 80,000+ users in a single OU. I ran an environment with 3 domains between 65,000 85,000 and over 100,000 users in a single OU for 5 years - I also had a couple of small domains with only about 30,000 users as well. My DCs rarely if ever went above 20% utilization for CPU other than when building the replication topology.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Marc wrote:We performed tests with an OU containing 35000 users and during the OU loading which queries the GC the CPU usage increased by 60% on a G4 Proliant dualcore....so yes there is a drawback if multiple admins query an OU with a large number of objects
"Joe Richards [MVP]" wrote:
Nope that is nothing.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Dave Fitton wrote:I am in the process of changing our college network over from Novell 6.5 NDS to Active Directory Win2003 Server.
The staff users have moved over successfully.
I now want to create the Student Users in AD (18000 of them)
My question is:
Is there any problems in having 18000 in one OU of AD??
(We have had this set up in NDS for years with no problems)
Regards
Dave
- References:
- Re: Large numbers of Users in an OU
- From: Joe Richards [MVP]
- Re: Large numbers of Users in an OU
- From: Marc
- Re: Large numbers of Users in an OU
- Prev by Date: Re: Urgent - please help
- Next by Date: Re: Large numbers of Users in an OU
- Previous by thread: Re: Large numbers of Users in an OU
- Next by thread: Re: Large numbers of Users in an OU
- Index(es):
Relevant Pages
|
