How Big Can Active Directory Get?

Windows 2000 ships later this month, and one of the biggest challenges for enterprises moving to the operating system will be planning for Active Directory. But will Microsoft Corp.’s (www.microsoft.com) new directory service be big enough to handle the enterprise network?

Early reports suggested that Active Directory filled up at about 10 million objects, a limit that organizations with 100,000 or more users could reach quickly. Microsoft’s Windows 2000 enterprise marketing group manager, Ed Muth, denies that Microsoft ever discussed a 10-million-object limit. Confusion may have arisen from some Microsoft documentation that put a 10-million-object limit on a Windows 2000 domain.

Framing the issue is a claim from Novell Inc. (www.novell.com) that its internal tests show that Novell Directory Services (NDS) 8 scales to 1 billion objects.

In fact Microsoft recently demonstrated an Active Directory of 50 million objects, and observers say the Active Directory structure theoretically will scale to more than 4 billion objects.

At Comdex in November, Microsoft, Unisys Corp. (www.unisys.com), EMC Corp. (www.emc.com), and others demonstrated a data center with an Active Directory housing more than 50 million objects.

This appears to be the most heavily populated Active Directory marketed by Microsoft. A source close to the demonstration says Microsoft officials previously alluded to having another vendor that would show an Active Directory with 250 million objects.

NetIQ Corp. (www.netiq.com), was charged with providing metrics to prove that the Comdex demonstration was really computing the transactions that Microsoft claimed.

Tim Sedlack, technology development manager at NetIQ, says the theoretical limit of Active Directory is two to the 32nd power, which translates to 4.29 billion objects. But it isn’t that simple. Populating an Active Directory with more than 4 billion objects is a Herculean task. It took Unisys one and a half weeks to populate the 50 million object Active Directory, and that was using several servers, according to Dave Jones of Unisys, who was chief architect for the Comdex demonstration.

"One thing to remember is that Active Directory is still a database, so you need a place to store this database and a way to search it," NetIQ’s Sedlack says.

The Microsoft and Unisys solution, for instance, was stored on 300 GB of disk and ran on a four-way server. For replication and the Global Catalog, along with all the indexes that it builds, two more servers were strung together for a total of 750 GB of disk.

Searching the Active Directory Comdex demonstration was not straining on the hardware at all, Sedlack says, and that hardware configuration probably could have handled 100 million objects since CPU use was relatively low at 10 to 12 percent.

But it was a huge multimillion dollar configuration packed with 40 top-of-the-line operational servers and a dozen systems that were generating transactions from fake customers.

Although planning for Active Directory usually conjures images of domain consolidation, Unisys’ Jones says hardware plays an important role in the size of an Active Directory as well. "To scale Active Directory up, you really have to think out the servers you’re going to use very carefully," he explains. "Servers are extremely important, as are storage subsystems."

When laying out hardware plans, Jones says customers should be looking at the disk storage space, what type of interconnects to use without impeding network resources, and the structure of the Active Directory itself.

"We’re doing work with Windows 2000 to understand the ramifications of having a certain number of user accounts on a given server," Jones says.