Announcement

Collapse
No announcement yet.

Inactive users have performance overhead on AD?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Inactive users have performance overhead on AD?

    Hi All,

    I am in the process of writing up a report for my company on the expected AD growth over the next 3 - 5 yrs.

    I work for a university, so the demands on our AD are somewhat different to other places, in that we have a lot of accounts, but not a lot of them get actually used!

    We have 20000 users in our AD, but only about 7500 of those are "Active" students and we only have 2000 physical desktop machines connected to the same AD. The AD currently supports exchange 2003 for about 10000 mailboxes, but this is set to get smaller as we move more and more students over to an externally hosted solution.

    The AD is expected to grow by about 3000 users each year for the next 5 yrs.

    My question is, what, if any, impact does storing inactive users have the performance of the Domain Controllers and the AD as a whole? Currently, we have 3 DCs which cope happily with everything that we sling at it.

    It has been suggested that a resource domain would be a good solution to the growing number of "Alumni" accounts that no longer need direct domain access, but my opinion is that this is just adding unnecessary complexity to the system, especially considering it will only be about 15000 accounts in that domain. Also, there are no specific security or admin requirements for these accounts.

    My preferred method is to simply use an "Alumni" OU and place all students into that OU once they have left. Nice and simple.

    Any thoughts on this would be much appreciated, the response on this forum is excellent and opinions and links etc that i could use as evidence in my report would really help me out!

    Many thanks

    Jonathan
    MCSA/MCSE 2000
    MCSA/MCSE 2003
    CCNA

    I love pies.

  • #2
    Re: Inactive users have performance overhead on AD?

    I would absolutely not worry about this. It will make the database a bit bigger.. when promoting a new DC from scratch it'll take longer, which can be a concern if you're promoting a lot of DCs on a 56k line, but other than that, the impact is very minimal IMO.

    I've seen many companies with 40k users get up to 100, 120k users in AD (No account deletion policy), and the impact we encountered was:

    Slower DCPromo (was a problem in our case, old domain which we couldn't dcpromo from existing files with windows 2000)
    Slowed down MIIS quite a bit.
    Made the database bigger (who cares).


    Edit: also if you have software with very strict licensing it can be an issue. Some software that's sold per-AD account allows you to exclude an OU if the users won't be active on the domain, but some don't, so that's an important non-technical consideration.
    Last edited by gepeto; 1st October 2009, 17:14.
    VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

    Comment


    • #3
      Re: Inactive users have performance overhead on AD?

      One variable component that will increase with more inactive users is the database buffer cache. The database engine will try to cache as much of the dit into memory as possible so as the dit grows, so will lsass memory consumption.

      Having said that, at our company we have application directories with over a million objects, most of them application accounts. The dit file is almost 10GB and we haven't hit any roadblocks yet; but they are beefy machines.

      Comment


      • #4
        Re: Inactive users have performance overhead on AD?

        This is true: at some point you can hit the limit of lsass on 32bit machines. I doubt this will be your case with a relatively small amount of users though!!
        VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

        Comment


        • #5
          Re: Inactive users have performance overhead on AD?

          Thanks for the advice guys, is perfect.

          I am not worried in the slightest about this, we have good spec DCs and a relatively small amount of objects in the AD, so keep 'em coming as far as i am concerned!

          Many thanks

          Jonathan
          MCSA/MCSE 2000
          MCSA/MCSE 2003
          CCNA

          I love pies.

          Comment

          Working...
          X