building a cicso network for windows 2000 phần 6 potx

274 Chapter 7 • Sizing the Infrastructure for Windows 2000

Figure 7.10 Performance monitor for replication traffic.

Figure 7.11 Replication monitor.

www.syngress.com

71_BCNW2K_07 9/10/00 1:18 PM Page 274

Sizing the Infrastructure for Windows 2000 • Chapter 7 275

Figure 7.12 Network monitor.

The problem with using the Network monitor lies in the fact that it cap￾tures every packet, and does not filter at the capture level according to the

packet type. What you can do, however, is to set a port for RPC traffic by

configuring the registry key at HKLM\System\CurrentControlSet\Services\

NTDS\Parameters\TCP/IP Port.

Once the port for this is set, you can start the Network monitor. Next

you will need to force replication by opening the Active Directory Sites and

Services console, then right-clicking on the NTDS Settings objects below

each domain controller object and selecting “Replicate Now.” Once replica￾tion has completed, you can review the captured packets for those with the

port number you configured. Those will represent the RPC traffic. If you

have configured a site link to use SMTP traffic, you should also look for

packets using port 25.

Server Placement

Which servers do you place into which sites? Do they have to be domain

controllers? Do they have to be Global Catalog servers? Which sites need

DNS servers or DHCP servers? Where do you put a RAS server for dial up?

Where do you put a RAS server for VPN? What about a branch office with

www.syngress.com

71_BCNW2K_07 9/10/00 1:18 PM Page 275

276 Chapter 7 • Sizing the Infrastructure for Windows 2000

30 users—do they need a domain controller or just a file and print server?

Now server placement seems to be a dilemma—but it is one that is easily

solved.

First, there definitely will be an impact on your network traffic when

you place servers in various sites. The availability of the Active Directory is

directly affected by the placement of various types of servers as well.

Domain Controllers

When you start this exercise, you should already have a site topology plan

for your network. This will be your starting point for determining the place￾ment of domain controllers. In addition to the site topology plan, you

should have your domain/DNS plan, and an understanding of the physical

location of the end-users who will exist in each domain. This will allow you

to determine which domains span which sites, and vice versa, as shown in

Figure 7.13.

Figure 7.13 Domains and sites spanning each other.

It is highly recommended that, for each domain existing within a site,

you also place a domain controller for that domain. There are some excep￾tions to this recommendation—if you have a set of 10 users in a site for

DOMAIN.COM, and you have 287 users in that same site belonging to

ROOT.COM, then you will not need a DC for DOMAIN.COM in that site.

However, if you have 100 users for DOMAIN.COM and 287 users for

ROOT.COM, then you will probably want to include a DC from both

domains.

www.syngress.com

Site 1 Site 2

s4.root.com s2.sub.tree.com

s3.tree.com s1.tree.com

Tree.com spans both Site 1 and Site 2.

Site 1 spans tree.com and root.com.

Site 2 spans tree.com and sub.tree.com.

71_BCNW2K_07 9/10/00 1:18 PM Page 276

Sizing the Infrastructure for Windows 2000 • Chapter 7 277

Imagine if you have a large campus network with five domains in a

single site. You would want to put five different DCs in that single site

simply to support authentication traffic. As you can see, the more domains

that exist in a site, the more separate servers you will need. And this is not

counting whether you need separate Global Catalog, DNS, DHCP, or other

servers running in those sites yet.

Once you’ve decided which sites will receive at least one domain con￾troller from the domains in your plan, you need to determine how many

domain controllers total you will want for that domain. This decision will

be based partially on the number of sites that you deem require a domain

controller, and partially on the size and power of the server hardware that

will support the domain controllers. A single-processor Pentium PC with a

4GB hard drive will not support even a fifth as many users as a four-pro￾cessor Pentium III server-class machine with a 40GB RAID array. But you

don’t want to max out your server to start with either; you need to plan to

leave room for growth. You will want to take into account whether your

domain controller will provide other services such as DNS, DHCP, or file

and print services because these services will reduce the capacity of the

domain controller to support the Active Directory services.

So, there is no magic formula regarding the number of users a domain

controller will support. But there is a way of figuring out how many your

domain controller will support. The first thing to do is to look at some

statistics such as those in Table 7.2, and estimate what size servers you

will need for today and for the future. Note that these are averages, and

that there may be some differences in the size of your Active Directory

objects and replication traffic based on the number of attributes you fill

out in each object, whether you include custom attributes, and whether

these attributes are copied to the Global Catalog.

www.syngress.com

Table 7.2 Sizing Statistics

Component Definition Size

Security principal

Nonsecurity

principal

Attributes

User, Group, any object that can be

granted rights to other objects

Organizational Unit, Organization, any

object that is not granted rights to

other objects

Additional attributes added to support

services on the network, such as DNS

3600 bytes

1100 bytes

100 bytes per

attribute

Continued

71_BCNW2K_07 9/10/00 1:18 PM Page 277

278 Chapter 7 • Sizing the Infrastructure for Windows 2000

When you determine the size of your Active Directory storage needs,

usually you can be assured that any standard hard drive will be able to

house even the largest domain partitions. Use the following equation to

estimate your storage needs:

(#Security Principals * 3600 bytes) +

(#Non-security principals * 1100 Bytes) =

Active Directory Size

To ensure that you have enough space for growth, multiply this result

by at least 200 percent or more, depending on your company’s growth over

the last three years.

Active Directory Size * 200% = Minimum DC capacity required

If you have a domain with 200,000 users, 1000 organizational units,

then you can safely estimate your AD database storage needs:

(200,000 * 3600)+(1000 * 1100)= 721100000 Bytes = 687 MB * 200% =

1374 MB = 1.2 GB

Table 7.2 shows that the size of the replication of new objects and

changed attributes turns out to be more expensive than the incremental

storage of that same data on a single DC hard disk. For example, if you

have one DC storing all the objects in a single domain that is the only

domain in its forest, then there is no replication traffic that will interrupt

other network traffic on the wire. (However, you won’t have any redun￾www.syngress.com

Table 7.2 Continued

Component Definition Size

Intrasite replication

of a single user

Intrasite replication

of a single

attribute change

Intersite replication

of a single user

Intersite replication

of a single

attribute

The average amount of replication

traffic generated within a site when

creating a new user account

The average amount of replication

traffic generated within a site when

changing a single attribute on an AD

object

The average amount of replication

traffic generated between sites when

creating a new user account

The average amount of replication

traffic generated between sites when

changing a single attribute

13,000 bytes

4500 bytes

11,000 bytes

4000 bytes

71_BCNW2K_07 9/10/00 1:18 PM Page 278

Sizing the Infrastructure for Windows 2000 • Chapter 7 279

dancy in case that DC fails, so always make certain to have two DCs per

domain.) If you have two domain controllers, then you will have one time

replication for each change on the Active Directory database. If you have

three DCs, then replication will occur twice (from DC1 to DC2, then from

DC2 to DC3) for each update on the Active Directory. Replication is simply

the number of DCs (one, as shown in Figure 7.14). Since hard drive

storage is cheap and bandwidth has a lot of competition for its use by

applications on the network, it is cheaper from a network traffic standpoint

to maintain fewer DCs!

Figure 7.14 Active Directory replication between four DCs.

A DC’s processor utilization increases as the number of users increases

in a domain. Several factors contribute to this phenomenon. The main

issue is not replication or storage, but happens to be the number of users

that log on simultaneously or query the network for resources at the same

time. The differences in processor types that are supported by Windows

2000 are widely varied. Not only are the manufacturers and processor

models variables, but the speed of the processor (MHz) and the supported

bus speed of the motherboard (also in MHz, but different from the processor

speed) are also variables—and these can make all the difference in how

your processor performs. You will need to test your processor in a lab envi￾ronment to determine its maximum simultaneous processing capabilities.

You can test these capabilities using Performance monitor and simulation

www.syngress.com

s4.root.com

s2.sub.tree.com

s3.tree.com

A full ring for replication

traffic is achieved with 3

paths between the 4 DCs.

71_BCNW2K_07 9/10/00 1:18 PM Page 279