Active Directory Data Storage |
There are no practical limits to the number of objects stored in Active Directory. The Active Directory database has been tested for up to 40 million objects. Performance tests show logon performance for a single LDAP client to be the same with 10,000 objects, 100,000 objects, and 1 million objects — that is, the directory service does not slow measurably when the size of the database increases.
Note
In a mixed-mode environment in which backup domain controllers are running Windows NT 4.0, the recommended limit for the number of security principal objects per domain is 40,000 (the sum of users, groups, and computers). This limit is based on the Windows NT 4.0 SAM database storage capacity. (For more information about SAM database capacity, see "Determining Domain Migration Strategies" in the Microsoft Windows 2000 Server Resource Kit Deployment Planning Guide.)
Each object in the directory is represented as one record, or row, in the database, and each attribute is represented as one column in the row. The only exceptions are certain attributes whose values are stored separately as links. The limit for record size in the database is 800 non-linked values across all attributes. Attributes that represent links do not count in this value. (For more information about linked attributes, see "Linked Attributes" later in this chapter.) The size of objects is not a problem if you use the recommended guidelines described in "Data Characteristics" earlier in this chapter.
Note
To enhance performance on domain controllers, install the Windows 2000 operating system on one drive, the Active Directory database file (Ntds.dit) on a second drive, and the log files on a third drive. (For more information about disk management, see "Data Storage and Management" in the Microsoft Windows 2000 Server Resource Kit Server Operations Guide. For more information about database page sizes, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources.)
Instead of deleting objects physically from the database, the directory service removes most of the attributes and then tags the object as being in the tombstone state, which means it has been logically deleted from the directory but has not yet been completely removed. The tombstone tag alerts replication partners that the object was deleted. Objects that are tagged as tombstones are moved to the Deleted Objects container, where they remain until garbage collection removes them. Thus, tombstones are used to replicate object deletions.
Garbage collection is a housekeeping process that runs on every domain controller. At regular intervals (by default, 12 hours), garbage collection deletes objects that are no longer needed by the directory service.
Garbage collection performs the following tasks:
There are two values that control how garbage collection runs and what it removes. These values are attributes of the cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=ForestRootDomain object:
Note
The default value for these two attributes applies if the attribute is not set (the initial state of the system). The minimum value applies if the attribute is set to a value below the minimum (that is, the minimum is not declared in the schema).
It is important that the tombstone lifetime be substantially longer than the expected replication latency. The interval between cycles of deleting tombstones must be at least as long as the maximum replication propagation delay across the forest. Because the expiration of a tombstone lifetime is based on the time when an object was deleted logically — rather than on the time when a particular server received that tombstone through replication — an object's tombstone is collected as garbage on all servers at approximately the same time. If the tombstone has not yet replicated to a particular server, that server never records the deletion. Likewise, if you restore a domain controller from a backup that is older than the tombstone lifetime, the domain controller does not have a record of some deletions, which leads to inconsistencies between domain controllers.
The maximum garbage collection interval is one-third of the tombstone lifetime (in hours). So if you set tombstoneLifetime to 30 days and garbageCollPeriod to 300 hours, your actual garbage collection period is only 10 days, or 240 hours.
You can use ADSI Edit to view or change the default settings for these attributes. To change the values, use the procedure that follows.
Note
To use ADSI Edit, install the Support Tools that are located in the Support\Tools folder on the Windows 2000 Server operating system CD. To install the tools, double-click the Setup icon in that folder. For more information about using ADSI Edit, see Microsoft Windows 2000 Support Tools Help. For information about installing and using the Windows 2000 Support Tools and Support Tools Help, see the file Sreadme.doc in the Support\Tools folder of the Windows 2000 operating system CD.
To view or change attribute values by using ADSI Edit
Note
In the Name box, the name of the directory partition that you selected is displayed. You can replace this name with a name that better identifies the specific connection.
When you view properties on cn=Directory Service,cn=Windows NT, cn=Services,cn=Configuration,dc=forestRootDomain, if no value is set (which means that the default is in effect), the value that you type in the Edit Attribute box replaces the default value when you click Set.
For more information about backing up and restoring Active Directory, see "Active Directory Backup and Restore" in this book. For more information about replication, see "Active Directory Replication" in this book.
To update the directory database file, the database system uses the quickest way to fill database pages. Although this system is efficient in updating the database quickly, it does not make the most efficient use of space in the database. Defragmentation rearranges how the data is written in the database in order to compress the data. You can defragment the database file online or offline by using the Ntdsutil command-line tool. Defragmentation can take place online (while the computer is running as a domain controller) or offline (while the computer is running as a stand-alone server).
ESE supports online defragmentation, which effectively rearranges pages within the data file but does not release space back to the file system. ESE invokes online defragmentation automatically at regular intervals after garbage collection. Online defragmentation makes space available, but it does not reduce the size of the database file. Only offline defragmentation provides you with a clear picture of the amount of space consumed by the database file.
To release space back to the file system, you can perform offline defragmentation. Offline defragmentation must be performed in Directory Services Restore Mode, which restarts the computer as a stand-alone server — that is, the computer runs offline and is not acting as a domain controller. In Directory Services Restore Mode, you can use the Ntdsutil command-line tool to defragment the Ntds.dit file. Offline defragmentation produces the defragmented version of the database file in a separate directory. You can archive the original Ntds.dit file and move the defragmented file into the current directory. (For more information about using Ntdsutil to perform offline defragmentation, see "Active Directory Diagnostics, Troubleshooting, and Recovery" and "Active Directory Diagnostic Utility (Ntdsutil.exe)" in this book, and see Microsoft Windows 2000 Support Tools Help.)
You can use offline defragmentation to test database growth by comparing the defragmented version of the file with the fragmented version. For example, on a newly installed domain controller, if you perform a bulk load of objects and then defragment the database file offline, the difference between the two files is the space occupied by the new objects.
You can set the DSA to log, during garbage collection, a message in the Directory Service event log that states how much disk space might be freed up by offline defragmentation. To activate logging of this message in the Directory Service event log, edit the value of the Garbage Collection registry entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics.
To activate logging of disk space that is freed by defragmentation
regedt32.exe
– Or –
regedit.exe
1
–Or–
In Regedit.exe, type 1 in the Data value box, type:
1
Caution
Editing the registry directly can have serious, unexpected consequences that can prevent the system from starting and require that you reinstall Windows 2000. There are programs available in Control Panel or Microsoft Management Console (MMC) for performing most administrative tasks. These programs provide safeguards that prevent you from entering conflicting settings or settings that are likely to degrade performance or damage your system. Registry editors bypass the standard safeguards that are provided by these administrative tools. Modifying the registry is recommended only when no administrative tool is available. Before you make changes to the registry, it is recommended that you back up any valuable data on the computer. For instructions about how to edit registry entries, see Help for the registry editor that you are using. For more information about the registry, see the Microsoft Windows 2000 Resource Kit Technical Reference to the Windows 2000 Registry (Regentry.chm).
To defragment the database file offline, start the domain controller in Directory Services Restore Mode.
To start a domain controller in Directory Services Restore Mode
Follow these recommended defragmentation procedures:
For more information about performing offline defragmentation, see "Active Directory Diagnostics, Troubleshooting, and Recovery" in this book.
When you test the effects of loading a specific set of objects on database growth, keep the following in mind: