Published: February 25, 2008

Once the number of domain controllers has been identified, the final step is to determine the disk space, memory, CPU, and the network requirements for each domain controller.

Task 1: Identify Minimum Disk Space Requirements for Each Domain Controller

For each domain controller, plan to allocate at a minimum the following amount of space:

• 500 MB for Active Directory transaction logs.
• 500 MB for the drive containing the SYSVOL share.
• 1.5 GB to 2 GB for the Windows Server 2008 operating system files.
• 0.4 GB of storage for every 1,000 users in the directory for the NTDS.dit drive.

For example, for a forest with two domains (domain A, domain B), with 10,000 and 5,000 users respectively, provide a minimum of 4 GB of disk space for each domain controller that hosts domain A and a minimum of 2 GB of disk space for each domain controller that hosts domain B.

Domain controllers running as global catalog servers will need additional disk space allocated if the forest contains more than one domain. For a given global catalog server, the additional space requirement is 50 percent of the recommended disk space for each additional domain outside of the global catalog server’s own domain. In the earlier example, Domain A required 4 GB of disk space and Domain B required 2 GB of disk space. For a global catalog server in Domain A, an additional 1 GB would be needed (Domain B’s 2 GB / 2), for a total of 5 GB of storage. For a global catalog server in Domain B, an additional 2 GB will be needed (Domain A’s 4 GB / 2), for a total of 4 GB of disk space.

Finally, if any applications are using the directory to store data in an application partition, the storage requirements for each application partition will need to be added to the domain controller disk requirements.

Identifying capacity requirements is one element in planning the disk configuration. The second element is performance planning. The disk subsystem needs to be configured to read and write data at a rate that meets business expectations for performance. Some form of RAID can be used to provide fault tolerance for the data.

For smaller sites, a single disk may meet both the capacity and performance requirements. For larger sites, the log, OS, and database files may need to be placed on separate volumes in order to meet the performance requirements. Test the configuration to ensure that the disk subsystem is not a bottle neck with the expected load. Additional disk spindles may be required if performance is lacking in the original capacity-based disk configuration.

Record the drive configuration information for each server.

Task 2: Identify Memory Requirements for Each Domain Controller

The following table gives a conservative estimate of the minimum required memory allocation for a domain controller. The table assumes that the domain controllers are hosting only Active Directory and DNS.

Table 4. Minimum Required Memory Allocation

Although this table lists the minimum, additional memory can improve the performance of the directory. Active Directory will attempt to cache the database in memory. This reduces disk access and improves performance. This cache is limited by the virtual address space and the amount of physical RAM on the server.

If there is an existing infrastructure, measure the performance of the domain controllers to determine if the existing memory is sufficient for the environment. If this is a new deployment, begin with 2 GB of RAM. Test the configuration with the expected loads and add memory as required.

To determine whether more RAM is needed for the server, monitor the percentage of Active Directory operations being satisfied from the cache by using the Reliability and Performance Monitor. Examine the lsass.exe instance (for Active Directory Domain Services) or Directory instance (for Active Directory Lightweight Directory Services) of the Database\Database Cache % Hit performance counter. A low value indicates that many operations are not being satisfied from the cache; adding more RAM might improve the cache hit rate and the performance of Active Directory. You should examine the counter after Active Directory has been running for some time under a normal workload. The cache starts out empty when the Active Directory service is restarted or the machine is rebooted, so the initial hit rate is low.

The use of the Database Cache % Hit counter is the preferred way to assess the amount of RAM a server needs. Alternatively, a guideline is that when the RAM on a server is twice the physical size of the Active Directory database on disk, it likely gives enough room for caching the entire database in memory. However, in many scenarios this is an overestimation because the actual portion of the database most frequently used is only a fraction of the entire database.

Task 3: Determine CPU Requirements

A 32-bit server running the standard edition of Windows Server 2008 can only address 4 GB of RAM. If there is an expected need to grow the RAM in a server beyond 4 GB, then move to a 64-bit architecture. By moving to a 64-bit version of Windows Server 2008, future expandability of the system is protected as well as future proofing the hardware from future market decisions around 32-bit.

The general recommendation is that for sites with less than 500 users, start with a single CPU; for sites with less than 10,000 users, start with dual CPUs and then scale from there. This assumes that the primary work of the directory is user authentication.

If the servers handle additional requests, such as Exchange Server, then monitor the performance of the system and adjust the number of CPUs as required. If there are existing domain controllers in the environment, then performance monitoring the existing boxes can be useful for getting a baseline on the required hardware.

Record the number of CPUs and chosen architecture for each domain controller.

Task 4: Identify Network Requirements for Each Domain Controller

Many corporate networks run at either 100-megabit or gigabit connectivity to the servers. Typically, a single network adapter is sufficient to handle all the network traffic to and from the server.

Placing multiple network adapters in a domain controller can cause a variety of issues, ranging from replication failures to authentication failures, and is generally not recommended.

Tasks and Considerations

Active Directory is optimized for read-heavy scenarios, that is, where the workload consists of more query operations than update operations. The most important performance tuning step is to ensure that the server has sufficient RAM to be able to cache the most frequently used portion of the database in memory. By monitoring the Database Cache % Hit on the server, a determination of whether additional memory is required can be made. The percentage of hits will be low if the directory service was just recently started.

In scenarios where the directory is write-heavy, then optimize the disk subsystem for performance. Using hardware RAID controllers, low-latency high RPM disks, and battery-backed write caches on the controller can help improve performance. Because most of the workload consists of writes, the cache does not provide as much benefit as it does in the read-heavy scenarios.

Decision Summary

The proper physical configuration of domain controllers is essential to the proper operation of Active Directory. Critical elements include the disk subsystem, memory, CPU, and network adapters. Hardware can be reconfigured as needed but doing so may require outages.

Additional Reading

“Performance Tuning Guidelines for Windows Server 2008” at https://www.microsoft.com/whdc/system/sysperf/Perf_tun_srv.mspx

“Active Directory Performance for 64-bit Versions of Windows Server 2003” at https://www.microsoft.com/downloads/details.aspx?FamilyID=52e7c3bd-570a-475c-96e0-316dc821e3e7