There are no practical limits to the number of objects stored in Active Directory. The Active Directory database has been tested for up to 40 million objects. Performance tests show logon performance for a single LDAP client to be the same with 10,000 objects, 100,000 objects, and 1 million objects — that is, the directory service does not slow measurably when the size of the database increases.
In a mixed-mode environment in which backup domain controllers are running Windows NT 4.0, the recommended limit for the number of security principal objects per domain is 40,000 (the sum of users, groups, and computers). This limit is based on the Windows NT 4.0 SAM database storage capacity. (For more information about SAM database capacity, see "Determining Domain Migration Strategies" in the Microsoft Windows 2000 Server Resource Kit Deployment Planning Guide .)
Object Size vs. Maximum Database Record Size
Each object in the directory is represented as one record, or row, in the database, and each attribute is represented as one column in the row. The only exceptions are certain attributes whose values are stored separately as links. The limit for record size in the database is 800 non-linked values across all attributes. Attributes that represent links do not count in this value. (For more information about linked attributes, see "Linked Attributes" later in this chapter.) The size of objects is not a problem if you use the recommended guidelines described in "Data Characteristics" earlier in this chapter.
To enhance performance on domain controllers, install the Windows 2000 operating system on one drive, the Active Directory database file (Ntds.dit) on a second drive, and the log files on a third drive. (For more information about disk management, see "Data Storage and Management" in the Microsoft Windows 2000 Server Resource Kit Server Operations Guide . For more information about database page sizes, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources .)
Instead of deleting objects physically from the database, the directory service removes most of the attributes and then tags the object as being in the tombstone state, which means it has been logically deleted from the directory but has not yet been completely removed. The tombstone tag alerts replication partners that the object was deleted. Objects that are tagged as tombstones are moved to the Deleted Objects container, where they remain until garbage collection removes them. Thus, tombstones are used to replicate object deletions.
Garbage collection is a housekeeping process that runs on every domain controller. At regular intervals (by default, 12 hours), garbage collection deletes objects that are no longer needed by the directory service.
Garbage collection performs the following tasks:
Defragments the database file.
There are two values that control how garbage collection runs and what it removes. These values are attributes of the cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc= ForestRootDomain object:
Tombstone lifetime determines the number of hours that a deleted object lives as a tombstone in the directory before being collected as garbage, and it is set in the tombstoneLifetime attribute. The default setting is 60 days, and the minimum setting is 2 days.
Garbage collection interval determines how often a domain controller examines its database for expired tombstones that can be collected, and it is set in the garbageCollPeriod attribute. The default setting is 12 hours, and the minimum setting is 1 hour. This period is to ensure proper replication of deleted objects.
The default value for these two attributes applies if the attribute is not set (the initial state of the system). The minimum value applies if the attribute is set to a value below the minimum (that is, the minimum is not declared in the schema).
It is important that the tombstone lifetime be substantially longer than the expected replication latency. The interval between cycles of deleting tombstones must be at least as long as the maximum replication propagation delay across the forest. Because the expiration of a tombstone lifetime is based on the time when an object was deleted logically — rather than on the time when a particular server received that tombstone through replication — an object's tombstone is collected as garbage on all servers at approximately the same time. If the tombstone has not yet replicated to a particular server, that server never records the deletion. Likewise, if you restore a domain controller from a backup that is older than the tombstone lifetime, the domain controller does not have a record of some deletions, which leads to inconsistencies between domain controllers.
The maximum garbage collection interval is one-third of the tombstone lifetime (in hours). So if you set tombstoneLifetime to 30 days and garbageCollPeriod to 300 hours, your actual garbage collection period is only 10 days, or 240 hours.
You can use ADSI Edit to view or change the default settings for these attributes. To change the values, use the procedure that follows.
To use ADSI Edit, install the Support Tools that are located in the Support\Tools folder on the Windows 2000 Server operating system CD. To install the tools, double-click the Setup icon in that folder. For more information about using ADSI Edit, see MicrosoftWindows 2000 Support Tools Help. For information about installing and using the Windows 2000 Support Tools and Support Tools Help, see the file Sreadme.doc in the Support\Tools folder of the Windows 2000 operating system CD.
To view or change attribute values by using ADSI Edit
On the Start menu, point to Programs , Windows 2000 Support Tools , Tools , and then click ADSI Edit .
If the directory partition whose attributes you want to change or view is not displayed, right-click the ADSI Edit icon, and then click Connect to .
If the current computer is not the domain controller on which you want to change attributes, under Computer , click Select or type a domain controller , and then select or type the computer name.
To select the directory partition, under Connection Point , click Naming Context .
In the Naming Context list, click a directory partition, and then click OK .
In the Name box, the name of the directory partition that you selected is displayed. You can replace this name with a name that better identifies the specific connection.
Navigate to the object whose property values you want to view or change.
In the Properties dialog box, in the Select which properties to view box, click one these alternatives: Optional , Mandatory , or Both .
In the Select a property to view box, click the property that you want to view.
To change a property value, type the value in the Edit Attribute box.
Click Set , and then click OK .
When you view properties on cn=Directory Service,cn=Windows NT, cn=Services,cn=Configuration,dc= forestRootDomain , if no value is set (which means that the default is in effect), the value that you type in the Edit Attribute box replaces the default value when you click Set .
For more information about backing up and restoring Active Directory, see "Active Directory Backup and Restore" in this book. For more information about replication, see "Active Directory Replication" in this book.
To update the directory database file, the database system uses the quickest way to fill database pages. Although this system is efficient in updating the database quickly, it does not make the most efficient use of space in the database. Defragmentation rearranges how the data is written in the database in order to compress the data. You can defragment the database file online or offline by using the Ntdsutil command-line tool. Defragmentation can take place online (while the computer is running as a domain controller) or offline (while the computer is running as a stand-alone server.
ESE supports online defragmentation, which effectively rearranges pages within the data file but does not release space back to the file system. ESE invokes online defragmentation automatically at regular intervals after garbage collection. Online defragmentation makes space available, but it does not reduce the size of the database file. Only offline defragmentation provides you with a clear picture of the amount of space consumed by the database file.
To release space back to the file system, you can perform offline defragmentation. Offline defragmentation must be performed in Directory Services Restore Mode, which restarts the computer as a stand-alone server — that is, the computer runs offline and is not acting as a domain controller. In Directory Services Restore Mode, you can use the Ntdsutil command-line tool to defragment the Ntds.dit file. Offline defragmentation produces the defragmented version of the database file in a separate directory. You can archive the original Ntds.dit file and move the defragmented file into the current directory. (For more information about using Ntdsutil to perform offline defragmentation, see "Active Directory Diagnostics, Troubleshooting, and Recovery" and "Active Directory Diagnostic Utility (Ntdsutil.exe)" in this book, and see MicrosoftWindows 2000 Support Tools Help.)
You can use offline defragmentation to test database growth by comparing the defragmented version of the file with the fragmented version. For example, on a newly installed domain controller, if you perform a bulk load of objects and then defragment the database file offline, the difference between the two files is the space occupied by the new objects.
You can set the DSA to log, during garbage collection, a message in the Directory Service event log that states how much disk space might be freed up by offline defragmentation. To activate logging of this message in the Directory Service event log, edit the value of the Garbage Collection registry entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics.
To activate logging of disk space that is freed by defragmentation
On the Start menu, click Run .
Type the following:
– Or –
Click OK .
In the registry editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics.
Double-click the Garbage Collection entry.
In Regedt32.exe, type 1 in the Data box, type:
In Regedit.exe, type 1 in the Data value box, type:
Click OK , and then close the registry editor.
Editing the registry directly can have serious, unexpected consequences that can prevent the system from starting and require that you reinstall Windows 2000. There are programs available in Control Panel or Microsoft Management Console (MMC) for performing most administrative tasks. These programs provide safeguards that prevent you from entering conflicting settings or settings that are likely to degrade performance or damage your system. Registry editors bypass the standard safeguards that are provided by these administrative tools. Modifying the registry is recommended only when no administrative tool is available. Before you make changes to the registry, it is recommended that you back up any valuable data on the computer. For instructions about how to edit registry entries, see Help for the registry editor that you are using. For more information about the registry, see the Microsoft Windows 2000 Resource Kit Technical Reference to the Windows 2000 Registry (Regentry.chm).
To defragment the database file offline, start the domain controller in Directory Services Restore Mode.
To start a domain controller in Directory Services Restore Mode
During the phase of startup when you would usually select the operating system, press F8 to display advanced startup options.
On the Windows 2000 Advanced Options menu, use the arrow keys to select Directory Services Restore Mode , and then press ENTER.
Follow these recommended defragmentation procedures:
Use offline defragmentation only when you know that database contents have decreased considerably (for example, when a Global Catalog server becomes a normal domain controller) and you need to reclaim space for other uses.
Retain the original Ntds.dit file until the domain controller has restarted with the defragmented file. When you have no doubt that the directory database is in a consistent state, you can delete the fragmented (original) database file.
For more information about performing offline defragmentation, see "Active Directory Diagnostics, Troubleshooting, and Recovery" in this book.
When you test the effects of loading a specific set of objects on database growth, keep the following in mind:
When the directory contains objects that you have added recently, the database is in a fragmented state, which makes it impossible to tell how much space the objects actually occupy in the database file.
Online defragmentation does not reduce the size of the database file. Only offline defragmentation accomplishes reduction of file size.
If you have garbage collection event logging set to 1 , you can use the Directory Service log in Event Viewer to view messages about the amount of space that would be made available by offline defragmentation.