RE: [ActiveDir] User Accounts

[Eric Fleischman]

Title: User Accounts

Good thread.   A few corrections, for the sake of keeping the search engines fresh….   The underlying store used by AD supports a theoretical maximum of 4.2 billion rows (limited by the 32 bit DNT or distinguished name tag)   Actually, you can only have 2^31 DNTs. This is because we start at 1, but it is actually a signed int. So we only get up to ~2bil or so, and don’t use the negative side. Sorry, you can’t have the bit back, unless you ask REALLY nicely. <g>   A row could be said to correlate to an object but it's certainly not a one-to-one relationship since rows also house many other structures such as tables, long-values, etc   Ah, no, not quite (thankfully J). There is a similar limit for # of long values (doesn’t work the same, but mechanics omitted for the sake of brevity), but it has nothing to do with row count in the data table. Long values are burst out to their own b-tree, and as such would not be related to the DNT count max that you were talking about before. In fact, the LID concept is entirely orthogonal to the max row count governed by DNTs that was being discussed. Dean and I also IM’d on this thread some, and the concept of link value also came up. Rest assured, link values also do not consume DNTs, they are stored entirely differently.   But, I do agree with the general feeling here, though for a slightly different reason. :) A row being used on a DC does not necessarily correlate with only what people think of as “their objects hosted by that particular server.” You have phantoms, structural phantoms, schema definitions, etc. Further, GCs of course drive the limitation in large forests, when the # of objects that is large are in domain NCs, of course (more on this below).   So ... to my knowledge, there's no user-related maximum other than the ESE constraints outlined above.  Hundreds of millions of users seems perfectly practical.  I personally have no first-hand experience of a directory of that scale but if memory serves I believe public documentation does exist referencing either (or both) test or production directories well within this arena.   There is actually a subtle point here….there is max # of users in a single directory instance (ie, on one given DC/ADAM instance), and max # in the entire distributed system. They are somewhat different. In the ADAM world (read: no GCs), it is entirely possible to have a series of instances, each of which house different NCs, and each NC approaches the limits mentioned in this thread (ie, each has 2bil objects say). So long as no one instances breaks the thresholds, you are golden. It is only AD that can’t play this game because GCs of course have partial NCs. But ADAM, no worries. Well, unless your large # of objects in AD are in NDNCs.   The larger directories I have worked with had ~100M objects on a single server. I haven’t seen people break that on a single box….but I don’t deny it has been done, I just haven’t seen it. J   Oh yea, the concept of negative linkIDs somehow came up in conversation as well. I’ll blog about that I think. Perhaps even tonight, if I get my stuff done.   ~Eric       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, April 15, 2006 11:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts   Actually I am going to bust myself here before Dean or someone else does. The SIDS are going to be limited into the billions. Not due to the SID structure, but due to locations where RIDs are stored as DWORDs (32 bits) instead of as 6 bytes (48 bits). ADAM thoughts still stand as they use the GUID logic for producing the SIDs, they are not based on a domain SID coupled with an artificially limited 32 bit "RID".   -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm        From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, April 15, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts I agree with Dean on this. :o)   The only user logical or implementation related limitation I could think of off the top of my head would be around SIDs and you are talking a number in the trillions for Active Directory and much much errr much higher for ADAM since they changed how SIDs are generated[1].   For completeness though not directly related to Christine's question I also wanted to add that the other physical limit is simply one of size which is ~16TB. This is governed by the max pages of ESE (2147483646[2]) coupled with the page size used for the Active Directory DB which is 8KB. That works out to 8*1024*2147483646 / 1099511627776[3] or 15.9999TB.              joe       [1] See discussion in book mentioned in signature[7]   [2] This max page size is publicly available in the ESE docs. It is located on the page http://msdn.microsoft.com/library/default.asp?url=""> however note there is a doco bug where it says that is 2^32 - 2 and it obviously isn't... It is 2^31 - 2[4]. Why not 2^32 - 2 which effectively doubles the size of the DB for those who find ~16TB a trifle claustrophobic? You would have to ask our Garage Door guy but I __know__ that the page vars are specified as 32 bit "longs" and I would __theorize__ it is to avoid hitting bit issues and make it is easier (and faster) for comparisons and calculations so you don't have to watch out for overflows, etc. This isn't something you tend to think about in scripting and languages like VB and .NET but I can assure you, something below your code has to handle it and it is extra work. So not using the high bit gets you a nice one bit buffer[5] which sounds like very little but is a lot of buffer for the calculations that would need to be made.   [3] This is the number of bytes in a TB. 1024^4. If you had that much in pennies you would be a billionaire. But still not as rich as billg.   [4] I have submitted this feedback to MSDN for a second time. Usually they are a little better about that when you submit something. :) Oh how do I know which number is the correct one? I cheated and looked at the source. ;o)   [5] Not like a storage buffer but a programming buffer sort of like putting tape up when painting so you don't have to go and do extra work of scraping (or repainting another colour) later.   [6] Why are you reading this footnote, I didn't reference it. :)   -- [7]O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm        From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Saturday, April 15, 2006 9:48 AM To: Send - AD mailing list Subject: RE: [ActiveDir] User Accounts That number isn't accurate I'm afraid.  The underlying store used by AD supports a theoretical maximum of 4.2 billion rows (limited by the 32 bit DNT or distinguished name tag) within its lifetime, deleted objects (garbage collected or otherwise) do not return row numbers to the available pool.  A row could be said to correlate to an object but it's certainly not a one-to-one relationship since rows also house many other structures such as tables, long-values, etc.  Note that the limitation also differs from DC to DC since long-standing DCs will have less row space available than those recently promoted.  Windows 2003 does not address this limitation (although improvements have been made in other areas).   So ... to my knowledge, there's no user-related maximum other than the ESE constraints outlined above.  Hundreds of millions of users seems perfectly practical.  I personally have no first-hand experience of a directory of that scale but if memory serves I believe public documentation does exist referencing either (or both) test or production directories well within this arena.   -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, April 14, 2006 10:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts I was told 5 billion objects ( In Theory )  when I took the Windows Server  2000, “ Designing a Microsoft Windows 2000 Networking Services Infrastructure “, taught by Cathy Moya at Quickstart Technologies ( Now with Microsoft  ).   Joe, has Microsoft changed this in AD 2003?   Jose   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen Sent: Friday, April 14, 2006 7:51 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User Accounts     Hello, How many user accounts can Active Directory 2000/2003 support (including email)? -Christine Christine N. Allen Systems Engineer BMC HealthNet Plan 2 Copley Place Boston, MA 02116 617-748-6034 617-293-4407 [EMAIL PROTECTED]