How many DC's for 15,000 users ? Where is the documentation ?

Discussion:

(too old to reply)

Marlon Brown

2006-08-28 14:50:09 UTC

We are consolidating our network infrastructure, eliminating branch offices
devices and slow links.

If I bring all DC's to my data center and let total of 6,000 machines, 2,000
staff members and 15,000 students logon to DC's on the central site, do you
think I would need more than 5 domain controllers (robust Dual proc
machines) to handle this ?

Currently I have (2) DNS-DC-ADI servers, (3) DCs/GC's. Please point me again
to that documantion in AD so that I can double check how many DC's I should
get to serve that number of uers.

Jorge Silva

2006-08-28 15:43:21 UTC

Permalink

Hi
ad sizer tool
http://www.petri.co.il/active_directory_sizer_tool.htm
--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

Post by Marlon Brown
We are consolidating our network infrastructure, eliminating branch
offices devices and slow links.
If I bring all DC's to my data center and let total of 6,000 machines,
2,000 staff members and 15,000 students logon to DC's on the central site,
do you think I would need more than 5 domain controllers (robust Dual proc
machines) to handle this ?
Currently I have (2) DNS-DC-ADI servers, (3) DCs/GC's. Please point me
again to that documantion in AD so that I can double check how many DC's I
should get to serve that number of uers.

Paul Bergson

2006-08-28 15:54:35 UTC

Permalink

Jorge is right but I would download the tool from Microsoft. Petri has a
great site but not sure if there are changes etc... Microsoft would be your
best bet for most current.

http://support.microsoft.com/kb/q274305/
--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

Post by Jorge Silva
Hi
ad sizer tool
http://www.petri.co.il/active_directory_sizer_tool.htm
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator

Post by Marlon Brown
We are consolidating our network infrastructure, eliminating branch
offices devices and slow links.
If I bring all DC's to my data center and let total of 6,000 machines,
2,000 staff members and 15,000 students logon to DC's on the central
site, do you think I would need more than 5 domain controllers (robust
Dual proc machines) to handle this ?
Currently I have (2) DNS-DC-ADI servers, (3) DCs/GC's. Please point me
again to that documantion in AD so that I can double check how many DC's
I should get to serve that number of uers.

Tomasz Onyszko

2006-08-28 15:49:08 UTC

Permalink

It depends on many things - how many logons, how many password changes etc.

processor speed may not be a crucial resource here, as memory can be.
But with such number of objects Your DIT size shouldn't be one of those
BIG DIT's You should take care about available memory in Your machines,
and if it is possible use 64-bit machines and OS. It should pay off in
the future if your needs will grow.

There is AD Sizer Tool available on MS Download (URL below) which lets
You estimate Your needs for hardware:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=77C0A895-3DFC-469F-BE40-6A0EE594821C

Post by Marlon Brown
Currently I have (2) DNS-DC-ADI servers, (3) DCs/GC's. Please point me again
to that documantion in AD so that I can double check how many DC's I should
get to serve that number of uers.

Brian Puhl's post about DC placement at MS may be a good reading for You:
http://blogs.technet.com/bpuhl/archive/2005/11/01/413489.aspx

--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)

Marlon Brown

2006-08-28 18:06:42 UTC

Permalink

Thanks. Yes, all my DC's currently have 2GB+ RAM memory. Interesting, I
input all data onto the AD Sizer tool, including the Exchange data
requirements, and it returned only 2 DC's. Therefore I am OK now since I've
got 4 currently running.

Namespace Objects: 22000
Users: 15000
Computers: 6000
Other Objects: 1000

Servers: 2

Domain Database Size: 684 Mbytes per DC
Global Catalog Size: 684 Mbytes per GC

Default-First-Site

Users: 15000

------------------------------------------------------------------------

Domain Controllers: 0
Bridge Heads:
(Bridge Head servers are Global Catalogs) 1
Global Catalogs:
(Excluding Bridge Head servers) 1

Post by Tomasz Onyszko

It depends on many things - how many logons, how many password changes etc.
processor speed may not be a crucial resource here, as memory can be. But
with such number of objects Your DIT size shouldn't be one of those BIG
DIT's You should take care about available memory in Your machines, and if
it is possible use 64-bit machines and OS. It should pay off in the future
if your needs will grow.
There is AD Sizer Tool available on MS Download (URL below) which lets You
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=77C0A895-3DFC-469F-BE40-6A0EE594821C

Post by Marlon Brown
Currently I have (2) DNS-DC-ADI servers, (3) DCs/GC's. Please point me
again to that documantion in AD so that I can double check how many DC's
I should get to serve that number of uers.

http://blogs.technet.com/bpuhl/archive/2005/11/01/413489.aspx
--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)

Joe Richards [MVP]

2006-08-29 02:05:22 UTC

Permalink

Off the top of my head without any knowledge of your environment, with a
decent machine you could probably handle this with a single DC, if the
DIT is >2GB then make it an x64 DC with decent RAM. I have seen a single
DC handle Exchange load for 20k users which is some of the heaviest
traffic a DC can see. However I would never recommend a domain with a
single DC, you would want at a minimum 2. Now questions such as how much
you are using GPOs and logon scripts can have tremendous impact on a DC
due to how hard the file system is being hit and network throughput.

Generically spec'ing DCs is a tough thing to do. Microsoft put out the
adsizer tool and then killed it. It is still available but it is 2K
specific and has older hardware listed but will not be updated because
of the false expectations. Some folks have been screwed by it saying
something too small and others over bought hardware and got mad when
they saw DCs that were mostly idle.

Probably the "best" spec guidance I have seen has been for Exchange's
needs and even that is simply darts thrown against wall. The specified
ratios work for environments and are horrible wrong (both ways) for others.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Post by Marlon Brown
We are consolidating our network infrastructure, eliminating branch offices
devices and slow links.
If I bring all DC's to my data center and let total of 6,000 machines, 2,000
staff members and 15,000 students logon to DC's on the central site, do you
think I would need more than 5 domain controllers (robust Dual proc
machines) to handle this ?
Currently I have (2) DNS-DC-ADI servers, (3) DCs/GC's. Please point me again
to that documantion in AD so that I can double check how many DC's I should
get to serve that number of uers.

Herb Martin

2006-08-29 17:12:50 UTC

Permalink

Post by Joe Richards [MVP]
Off the top of my head without any knowledge of your environment, with a
decent machine you could probably handle this with a single DC, if the DIT
is >2GB then make it an x64 DC with decent RAM. I have seen a single DC
handle Exchange load for 20k users which is some of the heaviest traffic a
DC can see. However I would never recommend a domain with a single DC, you
would want at a minimum 2. Now questions such as how much you are using
GPOs and logon scripts can have tremendous impact on a DC due to how hard
the file system is being hit and network throughput.
Generically spec'ing DCs is a tough thing to do. Microsoft put out the

Joe is right and he has LOTS of experience at such things.

Millions of users have been handled (effectively) with only 2-3 DCs -- if
the
horsepower was right -- and most people OVERSIZE their DCs anyway.

15,000 users for a PURE DC (only DNS and perhaps WINS as add-ons)
isn't even going to cause MOST machines to break a sweat these days
but NO ONE can tell you for sure until they know what you will run
on that machine AND the pattern of access etc. (Even then testing it
is the only certain way.)

Chances are you don't have one location (how many companies have
15,000 users in one place) so most likely you will end up with a DC
in each "Site" and then have to add extras for fault tolerance.

By the time you finish doing that with 5 sites you could easily end up
with 10 DCs.

Nice thing about Win2000+ DCs you can always add another or
remove one that is unnecessary. (DCPromo is your friend.)
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Post by Joe Richards [MVP]
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm

Post by Marlon Brown
We are consolidating our network infrastructure, eliminating branch
offices devices and slow links.
If I bring all DC's to my data center and let total of 6,000 machines,
2,000 staff members and 15,000 students logon to DC's on the central
site, do you think I would need more than 5 domain controllers (robust
Dual proc machines) to handle this ?
Currently I have (2) DNS-DC-ADI servers, (3) DCs/GC's. Please point me
again to that documantion in AD so that I can double check how many DC's
I should get to serve that number of uers.

Paul Williams [MVP]

2006-08-29 21:03:46 UTC

Permalink

In addition to the excellent advise here, the best thing you can do is
baseline the performance and then continue to sample the performance of the
DCs. You can then get a better understanding of your needs and ascertain
whether you need more DCs, or whether you can actually remove one.

Another thing to consider is even if you can adequately cope with the load
with 4 dual-core, dual proc boxes in the data centre (easily unless you have
hidden hogs that you've not mentioned) can the WAN cope with it? It's not
just authentication traffic or logon traffic remember. You've got GPO,
going in the background every two hours (90 + 30 skew) as well as GAL
lookups all the time. Also, any network resource will require a Kerberos
ticket, and those get renewed every ten hours. Systems management tools
like SMS or Radia also utilise the AD (from both client and server).

Ideally, you will test in an accurate pre-production environment. If you
don't have one, at least get as much resources as you can into a test
environment and try and simulate this. There's a tool called (I think)
ADSTRESS (which is horrible but will help).

Also, ensure that you spec for at least N + 1 where N is the minimum number
of machines to cope with the load. If the data centre is split across two
or more physical sites, you might choose to do N + 1 in each, or (N / 2) + 1
per site.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net