mezen
asked on
Number of AD Users increases - what are the concerns?
Currently I have HUB and DR Data centers having writable copies of AD and about 20 remote sites served by RODCs (Read-Only Domain Controllers).
The size of the forest I'm supporting is about to double, as my enterprise will acquire additional remote sites. Obviously new remote sites will get new RODCs installed. What are the other recommendations?
The size of the forest I'm supporting is about to double, as my enterprise will acquire additional remote sites. Obviously new remote sites will get new RODCs installed. What are the other recommendations?
Joseph Moody
Ensure that you have your sites configured correctly in AD and that your subnets are assigned.
ASKER
Josheph Moody, that goes without saying. Is there a way to size the number of Writable DCs in the HUB?
You need to do DC planning. Read this KB
http://social.technet.microsoft.com/wiki/contents/articles/14355.capacity-planning-for-active-directory-domain-services.aspx
http://social.technet.microsoft.com/wiki/contents/articles/14355.capacity-planning-for-active-directory-domain-services.aspx
From personal experience using RODC's are just another server to manage. Unless you are caching your passwords for all users at that site the RODC still needs to query a read/write DC in the same site or another remote site for authentication.
If your remote sites are configured the following configuration then they should not require a DC at that location....
- less than 50 users
- applications that do not require a local DC for faster authentication
- MPLS/DSL line that is 5mbps or greater
So based on the above you could really simplify your network desigen and possibly get rid of your RODC. At that point you would simply associate the Remote Site Subnet with the Active Directory Site you want to authenticate with.
DC's, if properly speced can host thousands of requests. This would include moderate resources.
I never add DC's if they are not required and i think things through before simply added more network devices to my network that may not be needed.
Will.
If your remote sites are configured the following configuration then they should not require a DC at that location....
- less than 50 users
- applications that do not require a local DC for faster authentication
- MPLS/DSL line that is 5mbps or greater
So based on the above you could really simplify your network desigen and possibly get rid of your RODC. At that point you would simply associate the Remote Site Subnet with the Active Directory Site you want to authenticate with.
DC's, if properly speced can host thousands of requests. This would include moderate resources.
I never add DC's if they are not required and i think things through before simply added more network devices to my network that may not be needed.
Will.
I agree to Will above. It depends on user and application requirement. Like for Exchange, I prefer to create separate site and separate DC's. So, Exchange won't overload DC's used by users.
LSASS.exe support 50K handles. If it is going above that count then you might need to find out which app or process is using it.
LSASS.exe support 50K handles. If it is going above that count then you might need to find out which app or process is using it.
What size growth are we talking about? How many AD objects/users do you have now
ASKER
Bryant Schaper,
We are 4000 + Users now and about to double that number.
We are 4000 + Users now and about to double that number.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.