I'd be surprised if EDB Max Ver Pages resolved the issue, or even helped it (although it might help your DIT size, and almost definitely would if you are getting 602's).
Earlier I asked to see the search filters, and that's still my primary question. It's hard to diagnose a not-working query when we can't see the search being issued. Further, in ntdsutil please give us a text dump of your ldap policies (I assume you are using default policy object (not server/site specific one) so ntdsutil is a valid dump of em) so we have them for reference. The next steps after those two items (if required) would be shipping me either a DIT or dumpdatabase outputput and 3-5 usermode lsass dumps during query execution, but let's try and resolve it with the above two items first. ~Eric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marco Bombardi Sent: Sunday, August 08, 2004 10:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] W2K DC Performance - ADC Failure Thanks for the info. I had a co-worker take over for me and work on this overnight with MS. We still have MS CPR on the case - put in some undocumented reg keys on the DC ...\NTDS\Parameters\EDB max ver pages (increment over the minimum) and have been making manual changes to the ADC Service (...\MSADC\Parameters\Max Continuous Sync - Max Export Block Size - Sync Sleep...). We've also set a time out of 30 min on the DC (ntdsutil - ldap policies - MaxQueryDuration) and still the queries won't finish. After narrowing the USN further it looks like we're getting some results but we still haven't had any users replicating... We've seen our DIT up to more then 30GB due to a recent DNS bug but even after an offline defrag it doesn't get below something like 18GB. We have about 180K users, 100K computer objs, 700 DCs, 650 sites... Marco -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Saturday, August 07, 2004 6:44 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] W2K DC Performance - ADC Failure More likely is DIT bloat (DNS, DLT, etc.), but that shouldn't cause QP to slow down too much in reality, unless it is chewing on massive updates (replication oriented probably) or not caching as much as it could because it is caching some of the bloat. If you had major results as a result of the bloat (perhaps out of version store due to large order of change, etc.) I'd expect some seriously nastygrams in the evt's. ~Eric ________________________________ From: [EMAIL PROTECTED] on behalf of joe Sent: Sat 8/7/2004 6:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] W2K DC Performance - ADC Failure I was thinking the same thing. Largest I have worked with was about 8GB for GCs for a forest of 9 domains with a total of ~250k users, ~200k machines, ~100k machines w/ E2K enabled with additional company LDAP directory info. I guess you could have a lot of ACLs but that would be A LOT of ACLs. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Saturday, August 07, 2004 6:47 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] W2K DC Performance - ADC Failure Have you investigated why your DIT is over 20 gigs? IMO this is abnormal for MOST orgs.. -steve ----- Original Message ----- From: "Eric Fleischman" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, August 07, 2004 11:28 AM Subject: RE: [ActiveDir] W2K DC Performance - ADC Failure Ok if that's understood I'll bypass the understand your load point. But I reserve the right to laugh out loud later if it comes back to that later on. :) Can you take a trace of one such slow search filter and paste the search frame in to a mail to the dl? That way we know what we're looking at. And if there are multiple slow search filters, please show us any that you're concerned about that are timing out. :) Thanks! ~Eric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marco Bombardi Sent: Saturday, August 07, 2004 12:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] W2K DC Performance - ADC Failure The problem is not really that we have a large amount of queries beating up our DCs but individual queries are being issued by the ADC against the DCs and are just timing out returning 0 objects as results. We're looking at running an offline defrag at this target DC to bring the ntds.dit down to somewhere below 20GB. Unfortunately in this scenario we don't have any W2K3 servers, they're all W2K... When I mentioned practical limits I meant that we've been doing quite a bit of housekeeping just to keep things running. When AD integrated DNS takes over an hour to start, offline defrags are weekly activities, a DCPromo can take almost a week (with fairly slow wan links - true) and now the ADC stops working because the DCs can't run an LDAP query within the normal - internal timeout limit, there is just nothing practical about it. :) Marco -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Saturday, August 07, 2004 9:53 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] W2K DC Performance - ADC Failure I'm not ADC savvy, but I would approach this like any other scenario where we're tuning AD performance. I would do the following: 1) Collect ADPerf (if 2k03, SPA) data to baseline AD performance 2) Take a several-minute long wide-open netmon capture to observe lots of queries coming in and beating up the dc 3) If this is 2k03, I would enable inefficient and expensive search logging At that would I would review the ADPerf data to sanity check and be sure something else isn't beating up on your DCs. Now is where the plan diverges depending upon OS: If DCs are 2K: Review traces and filter on the LDAP search quests/responses, measure responsiveness of different genre's of queries. Break these searches down by similar search filter, ensure each is sufficiently fast. If DCs are 2K03: Review SPA data captured and inspect expensive searches being issued (ADC or otherwise) and begin putting a plan together to optimize for them. Further, filter out appropriate entries from DS event logs as a result of expensive & inefficient search logging, be sure they line up with your understanding from the SPA spew. Depending upon what queries are found, you either optimize the search filter or optimize AD for the search filter (read: index more stuff). Also, 2k03 DCs are substantially more performant for a lot of reasons, so one action item might be as simple as "upgrade DC that is servicing ADC to 2k03" and that might help, I don't know without looking at the data (and you didn't tell us if it is 2k or 2k03 so I'm not sure if this is moot or not). You can almost always optimize for an expensive search data set. I find it hard to believe you're anywhere near any of the perf practical limits. :) <aside> joe: note use of word genre. </aside> ~Eric ________________________________ From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Sat 8/7/2004 10:29 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] W2K DC Performance - ADC Failure Without getting into details let me just say that we have an environment with a single global domain that seems to be pushing some of the practical limits of AD. With that said, we ran into a problem that although we have MS working on it with us I'd also like to hear your suggestions. The summary of this part of the problem is actually fairly simple. We've been trying to kickoff an ADC CA to run a rebuild (MsExchServer1HighestUSN=0) and the ADC isn't working because its queries against our DCs seem to be timing out and never returning any results. There are no errors anywhere (ADC, SRS, DC) and even with diag logging turned up to max on ADC and SRS all we see are queries being issued and returning with 0 objects. We've changed the MaxPageSize on a chosen DC and saw some results coming back and we're also looking at network traces and adperf information to confirm the performance issue but what I was wondering is if you could give me your suggestions to improve DC performance in response to LDAP queries and if by chance any of you know if there is any kind of adjustment to the ADC so it "runs more efficient queries". Our domain partition deleted objects container is gigantic and we might try to do something there as well but that is not something we can do so easily/quickly due to its large scope "impact". Any suggestions will be appreciated. Thank you! Marco Bombardi List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
