Optimize IAS Deployment in Large Organizations

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can optimize IAS performance in large organizations by doing the following:

  • If you are using remote access policies to restrict access for all but certain groups, create a universal group for all of the users to whom you want to allow access, and create a remote access policy that grants access for that universal group. If you have a large number of users on your network, create global groups within the universal group, and add the users to the global groups.

  • Use IAS as a proxy server and configure connection request policies to distribute authentication requests to remote RADIUS server groups based on the realm name portion of the user name. In this manner you can load balance traffic based on domain membership, and authentication requests are sent to a remote RADIUS server group that resides in the same domain where the user account is located.

  • Install IAS as a dedicated RADIUS server. If you choose not to run the IAS server on a domain controller with a global catalog, you can run it on a computer that has other services running on it, as long as the services are not resource-intensive.

In very large environments (such as an ISP with millions of remote access users and extremely heavy load conditions) that must process a large number of both authentication requests and accounting packets per second, you can optimize IAS performance by doing the following:

  • Using a faster domain controller to yield better throughput. The number of authentications per second depends on the hardware used for the domain controller.

  • Using separate IAS servers for authentication and accounting. IAS proxy servers can send all accounting requests to a specific remote RADIUS server group, while sending authentication requests to other groups. For more information, see "Configure accounting" in Help and Support Center for Windows Server 2003.

  • Running the IAS server on a domain controller with a global catalog. Choose this option if you have a high-latency connection between your IAS server and your domain controller, or between your IAS server and your global catalog, but you do not have problems with your IAS performance.

  • Increasing the number of concurrent authentication calls in progress at one time by using the MaxConcurrentApi registry entry. Keep in mind that if you assign too high a value to this registry entry, your IAS server can place an excessive load on your domain controller. Values from 2 to 5 provide the best performance.

    For more information about the MaxConcurrentApi registry entry, see the Windows Server 2003 Resource Kit Registry Reference on the Windows Server 2003 Deployment Kit companion CD or at https://www.microsoft.com/reskit.

Caution