-
Notifications
You must be signed in to change notification settings - Fork 2
Active Directory Optimization
Production experience has shown that a few more indexes are needed with most storage appliances and linux ldap setups for good AD LDAP performance.
Step 1: Add the Active Directory Schema snap-in to the primary domain controller: http://technet.microsoft.com/en-us/library/cc755885(v=ws.10).aspx
Step 2: Start mmc, select "Add snap-in", select the "Active Directory Schema snap-in"
Step 3: For each of the following attributes that by default isn't indexed: uidNumber gecos memberUid uniqueMember
do the following: Step 3.1: Select "Attributes" and find the attribute in question Step 3.2: Right click on it Step 3.3: Check the "index"-button and press ok
Sometimes a new type of storage system produce slightly different LDAP searches, and some new attribute has to be indexed. The process for determining this is described below.
This can be seen by the fact that the lssass.exe process on one or more of the domain controllers has a high CPU usage in pre-production testing or in production. If so the workflow for checking if there are missing indexes is described in http://support.microsoft.com/kb/2550044, and the summary is:
To run the Active Directory Data Collector follow these steps: Open Server Manager on a Full version of Windows Server 2008 or later, or go to Start > Run > Perfmon.msc and then press enter. Expand Diagnostics > Reliability and Performance > Data Collector Sets > System Right-click on Active Directory Diagnostics and then click Start in the menu which appears. The default setting will gather data for the report for 300 seconds (5 minutes), after which it will take an additional period to compile the report. The amount of time needed to compile the report is proportional to how much data has been gathered during the period. Once the report has compiled, look under Diagnostics > Reliability and Performance > Reports > System > Active Directory Diagnostics to view the report or reports which have been completed.
Once one of these reports completed and opened, the following steps summarize how to most easily read them:
- Select Active directory
- Select "LDAP" and verify that it consumes a large portion of CPU for some kind of querie, commonly "LDAP request status = 0 (success)"
- Select "Search" and sort on response time
- The "Visited" column shows how many objects had to be considered when evaluating the search
- If the number is unrealistically high, like several thousand objects, and the type of query is common, then an index is missing. Check which attributes are searched and add the index as described above.