RE: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?

[joe]

LOL on the naughty boy messages.

 

The implementation was for a fortune 5 running on 2K with about 250k users but only about 180k Exchange users, 100k or so of contacts. With K3 it shrunk back down to I want to say around 4GB due to single instance store but it is getting to be quite a while ago now so I could be off on the K3 number, I left at the beginning of the K3 stuff. Yes those numbers are raw defragged DIT size numbers. They packed the GAL with info, all of the data that was previously in 5.5 plus whatever else they had in the LDAP directories that went with what was available for Exchange GAL. We spent a couple of months populating the directory with all of the data so as not to piss anyone off by slowing down convergence of critical data like passwords and new user accounts, etc.

 

An interesting story with all of this is when we did it, my AD was getting something like 25-30 fields, mostly strings populated with like addresses and what not at some X rate per hour at the top of the hour and at the same time the iPlanet LDAP directory was getting one field updated, a field saying its data had been synced to AD with a timestamp... The idea was to increase X every day or so until we thought we couldn't handle any more updates per hour. As a baseline, this was Windows 2000 with its various issues with schema updates and indexing and a schema update that was expected to take 3 or so hours ended up taking more than 18 hours to complete. My AD stretched across about 375 domain controllers around the world across all sorts of crappy hardware and even crappier links (especially South Africa, New Zealand, Middle East, and South America). The iPlanet directory was spread across 4 very high end UNIX servers in a single rack on a very bandwidth capable network on a dedicated switch. Guess who said uncle first for increasing the data population speed.... it wasn't AD, AD was chugging down the updates like a champion American Hot Dog Eating contest winner (though it was all in English instead of Japanese) but iPlanet started getting into a state that concerned the admins quite early on and we limited the data population based on that. It was so low of an impact that I didn't even really watch over it, just sent out the daily reports as required by management.

 

 

--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: Tuesday, August 01, 2006 7:09 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?

Just to be honest, it sounds like I made a bad assumption... that AD holds as much information (or more) natively as it does for Exchange.  From what Joe is saying, it sounds like Exchange is a huge AD bloat monster.

Not that it's a problem for many environments, just the larger ones.

I'd be interested to hear about that environment that Joe was talking about where a DIT went from 900MB to > 6GB (and was that defragged?).  I mean... holding > 5x the native infromation of AD in *just* the Exchange extensions?  Wow... I'd swear if someone wouldn't send me "naughty boy" messages.

On 8/1/06, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote:

Not disagreeing with you Matt – we're all just in a guess mode without RM providing more information. I love those posts to lists where the original poster never get's back the questions being posted to his questions…

 

Anyways – I just made the point that his DIT size is not small for a company not running Exchange. The number of users given was just an example – more likely 100k vs. 5k users…  And naturally most "corporate" environments then have a similar amount of computer accounts and a strongly varying number of groups (totally depends on group model being used). And even if his AD already included Exchange we couldn't easily tell how large his environment is, simply because there are so many dependencies. That's why I gave those numbers using assumptions – certainly nothing to take as a fixed value.

 

Heck, we don't even know his DC version (Win2003 single instance storage of ACE has a huge impact on DIT size) or if he has disabled Distributed Link Tracking (DLT), which adds a ton of garbage to every DC. Provided you have sufficient file servers in your AD and are happily moving data around between the servers (or between volumes), DLT alone can eat up many hundred meg of your AD DIT.  Did he defrag or not?  Etc.

 

 

/Guido

 

From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves
Sent: Tuesday, August 01, 2006 10:46 PM

To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?

 

I'm not sure what else he's running on his DC.  He might be running complex intrusion detection software, DNS, WINS, etc....

I have to assume that he's got 4GB worth of RAM and plenty of 'crap' (ok, maybe not crap, but you know what I'm saying) running on the DC that I'm sure plenty of us would love to see running on a different box.

The "1.25GB" comment wasn't regarding any limitations to 32-bit Windows.  It was more involving "I seriously doubt that your DIT is going to double in size unless you're populating as few as possible fields and have like 3 groups per user" than anything.

You made a comment about him having a large environment with 100k+ users to have a 650MB DIT and I just kinda went "Huh?" because we're running a 3+GB DIT with just over half that number.  Every environment is completely different and there are a lot of different things that impact the DIT outside of user count.  Groups, GPOs, OUs, computer objects etc.... user count might be a reasonable guage, but I don't think that ~6k DIT per user object is a reasonable assumption unless it's a newer environment with a nice spanking new RBS model.

On 8/1/06, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote:

Richard doesn't seem to be too keen on giving us further details – too bad.

 

But not sure why you – Matt - are talking about "breaking 1.25 GB" with respects to the 32-bit capabilities. By default 32-bit Win2003 DCs can cache a DIT up to approx. 1.5GB, which grows to 2.6-2.7GB using the /3GB switch (provided sufficient physical memory). 

 

But irrespective of these limitations, I'd argue you should move to Win2003 64bit DC anyways if you can. For example if you are doing a hardware refresh at the same time. It is cheaper (meaning you can support more memory for less licensing costs) and it will give you much more room to grow for the future. 64bit drivers for x64 server hardware are no longer an issue and even other important add-ons and management tools such as AV and Backup etc. are catching up quickly. So try not to use the 32bit WinOS versions for AD DCs, even if they still handle the load today – you'll do yourself a favor by moving to 64bit DCs as soon as you can. Time to learn all those little quirks and challenges around handling this OS. This way you'll be best prepared for when you really need to use 64bit Windows for other applications.

 

/Guido

 

 

From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves
Sent: Tuesday, August 01, 2006 12:02 AM

To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?

 

I guess the gist of what everyone is saying can be summed up with the following:

What does the current environment look like?
How extensive is your Exchange deployment going to be?

Without some of that information, it's only going to be a vague guess that anyone can give.  I seriously doubt you need to worry about breaking 1.25 GB, which is still well within the capability of a 32-bit server to handle.

On 7/29/06, joe < [EMAIL PROTECTED]> wrote:

To further add to this, it depends considerably on how populated you want your GAL to be. Some people just let the mandatory Exchange attributes get populated, others want the GAL to be the one stop shop for info on employees so everything goes into the GAL which means everything goes into AD.

 

--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm  

 

 

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Grillenmeier, Guido
Sent: Friday, July 28, 2006 4:41 AM

To: ActiveDir@mail.activedir.org

Subject: RE: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?

Assuming this is after defrag, 650MB without Exchange is quite a large AD – guess you'd be close to 100k users in your forest, if you've used the "standard" attributes of the objects in AD (and haven't added stuff like thumbnail pictures to your users…).

 

After adding the Exchange schema mods, the DIT shouldn't grow substantially, since AD doesn't use any space for unused attributes – and the Exchange attributes for your object won't be filled magically, until you mail-enable them. But once they are filled, it will impact your AD (e.g. E2k3 adds 130 attributes to the Public Information property set used by user class objects)

 

It is very tough to make a guess at the actual size you'd have with a fully deployed Exchange, but if you do mail-enable the majority of your users (i.e. give them Exchange mailboxes) and add DLs etc. and assuming my guess with 100k users is in the right ballpark your AD DIT would easily grow to 3-5 GB.

 

/Guido

 

From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of RM
Sent: Thursday, July 27, 2006 6:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?

 

NTDS.DIT is currently 650megs.  Once Exchange has been fully deployed, any guesses as to how much larger it will become?  Just looking for a ballpark figure...

thx,

RM