AD OU Objects and Replication Performance

[John Collins]

Our native AD domain has five DC's and services less than
10,000 PC/servers. Each department was initially granted
an OU with four sub-OU's; such as:
Department
OU Admins
Users
Computers
Servers

for our use. Some have found that one OU might get
cluttered up, say the Users OU has 20 similar security
groups; 20 distribution groups; and 20 different security
groups so the structure now looks like:

Department
Ou Admins
Users
SIM-Groups
Distro
Dif-Groups
Computers
Staff
Classroom
Labs
Servers

The additional OU folders contain objects that were
previously in the parent folder and actually don't
increase the number of objects except by the one
organizing folder.

Our domain administrators have stated that this process
causes all kinds of performance problems on the domain's
replication and directory services.

Is this so? Can anyone give me a good rationale for a pro
or con view?

Regards,

John

 

[Paresh Nhathalal]

The main OU design basics should follow:
(1) Domain Delegated administration tasks
(2) Divide objects with unlike policy (Although you want
to plan an OU design in such a way that you effectively
use settings applied by GPO (inheritance)
(3) Simplify administration and management requirements

OU designs with fewer levels will return better
performance. LDAP searches will be slower in domains with
deep OU structures. Also the processing of GPOs per OU
read by the objects within those OU may have an effect.
Example if the user object is 4 OU deep and if each OU has
GPOs applied with read access to that user object - you
can see that the user will now have to process all
settings (or at least read these settings). You can
increase the performance (logging) by actually also
removing the GPO reads (if you do not want to apply that
GPO settings).

refer to
http://www.microsoft.com/technet/prodtechnol/windows2000ser
v/technologies/activedirectory/plan/activedi.mspx

Complete in-depth OU design recommendations can be found
at:
http://www.microsoft.com/resources/documentation/WindowsSer
v/2003/all/deployguide/en-us/Default.asp?
url=/resources/documentation/WindowsServ/2003/all/deploygui
de/en-us/dssbc_logi_wiio.asp

Regards

PN

 

[John Collins]

Although I know what your explain below it doesn't give me an answer to my
original questions regarding our specific structure. Does anyone have
experience where adding one or possibly two layers causes significant
performance issues?

Regards,

John

 

[Brian Desmond [MVP]]

John-

Your admins are wrong. 20 groups in an OU is not a problem. You need
thousands and thousands of objects in an OU to start getting messy.

--
--
Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us

Http://www.briandesmond.com

 

[John Collins]

Brian,

I've since found that one OU by itself generates 11 bytes of data. Since we
are not really adding any additional objects but rather moving them into a
sub-OU (just one deeper than their design) we are actually only adding about
11 or 12 bytes each time we do this. And since Windows 2000 replicates the
entire OU when a change is made to only one object in the OU (I believe
Windows Server 2003 changes this to only replicate the changed data) we are
probably helping with replication since my Computers OU under the original
scheme holds some 550 objects; the Staff sub-OU will hold about 70 objects
from the 550 so change in that OU will cause less replication. Do you
agree?

Regards,

John

 

[Brian Desmond [MVP]]

No. I don't. Object location is not an attribute of the OU, but an attribute
of the object. Just the object is replicated. The DN attribute in particular
is what changes.

--
--
Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us

Http://www.briandesmond.com