Indexing attributes is useful when you search for objects that have the attribute name in a filter. Indexing can reduce the number of objects that must be visited when you evaluate the filter. However, this reduces the performance of write operations because the index must be updated when the corresponding attribute is modified or added. It also increases the size of your directory database. You can use logging to find the expensive and inefficient queries, and then consider indexing some attributes that are used in the corresponding queries to improve the search performance. For more information about Active Directory event logging on servers, see Resources later in this guide.
Optimizing Trust Paths
Trusts are a way to enable users to authenticate across different forests or domains. If the trust path between the resource and the user is long, then the user might experience high latency because the authentication request must travel through the trust path and return. For example, if a user from the grandchild of a domain tries to sign in from a different grandchild domain in the same forest, the authentication request must travel trust path from the grandchild to the root domain and then take the path to the other grandchild domain.
To avoid this, you can create a shortcut trust directly between the two grandchild domains that avoids the long path. However, an administrator must manage trusts. Therefore, you must consider how frequently a given trust will be used before you create it. You can also create an external trust or a forest trust to reduce the trust path when authenticating between domains in different forests. For more information about how to create trusts, see Administering Domain and Forest Trusts.
Active Directory Performance Counters
You can use several resources to conduct a performance diagnosis for a domain controller that is not performing as expected.
You can use the following Reliability and Performance Monitor (Perfmon) counters to track and analyze a domain controller’s performance:
If you notice slow write or read operations, check the following disk I/O counters under the Physical Disk category to see if many queued disk operations exist:
Avg. Disk Queue Length
Avg. Disk Read Queue Length
Avg. Disk Write Queue Length
If lsass.exe uses excessive physical memory, check the following Database counters under the Database category to see how much memory is used to cache the database for Active Directory Domain Services. These counters are located under the lsass.exe instance, whereas for Active Directory Lightweight Directory Services they are located under the Directory instance:
Database Cache % Hit
Database Cache Size (MB)
If Isass.exe uses excessive CPU, check Directory Services\ATQ Outstanding Queued Requests on the Directory Services tab to see how many requests are queued at the domain controller. A high level of queuing indicates that requests are arriving at the domain controller faster than they can be processed. This can also lead to a high latency in responding to requests.
You can also use the Data Collector Sets tool to see the activity inside the domain controller. On a server that is running Active Directory Domain Services or Active Directory Lightweight Directory Services, you can find the collector template in Reliability and Performance Monitor under Reliability and Performance > Data Collector Sets > System > Active Directory Diagnostics. To start it, click the Play icon.
The Reliability and Performance Monitor tool collects data for five minutes and stores a report under Reliability and Performance > Reports > System > Active Directory Diagnostics. This report contains information about CPU usage by different processes, Lightweight Directory Access Protocol (LDAP) operations, Directory Services operations, Kerberos Key Distribution Center operations, NT LAN Manager (NTLM) authentications, Local Security Authority (LSA) and Security Account Manager (SAM) operations, and averages of all the important performance counters.
This report identifies the workload that is being placed on the domain controller, identifies the contribution of aspects of that workload to the overall CPU usage, and locates the source of that workload, such as an application that is sending a high rate of requests to the domain controller. The CPU section of the report indicates whether lsass.exe is the process that is taking the highest CPU percentage. If any other process is taking more CPU on a domain controller, you should investigate it.
This section discusses how to select Remote Desktop Session Host (RD Session Host) hardware, tune the host, and tune applications.
Selecting the Proper Hardware for Performance
For an RD Session Host deployment, the choice of hardware is governed by the application set and how the users exercise it. The key factors that affect the number of users and their experience are CPU, memory, disk, and graphics. Earlier in this guide, there was a discussion about server hardware guidelines. Those guidelines apply to Remote Desktop Services, and this section contains additional guidelines that are specific to RD Session Host servers, and this information is mostly related to the multiuser environment of RD Session Host servers.
CPU configuration is conceptually determined by multiplying the required CPU to support a session by the number of sessions that the system is expected to support, while maintaining a buffer zone to handle temporary spikes. Multiple logical processors can help reduce abnormal CPU congestion situations, which are usually caused by a few overactive threads that are contained by a similar number of logical processors.
Therefore, the more logical processors on a system, the lower the cushion margin that must be built in to the CPU usage estimate, which results in a larger percentage of active load per CPU. One important factor to remember is that doubling the number of CPUs does not double CPU capacity. For more considerations, see Choosing and Tuning Server Hardware earlier in this guide.
The 64-bit processor architecture provides a significantly higher kernel virtual address space, which makes it more suitable for systems that need large amounts of memory. Specifically, the x64 version of the 64-bit architecture is a good option for RD Session Host deployments because it provides small overhead when it runs 32-bit processes. The most significant performance drawback when you migrate to 64-bit architecture is significantly greater memory usage.
Memory configuration is dependent on the applications that users employ; however, the required amount of memory can be estimated by using the following formula:
TotalMem = OSMem SessionMem * NS
OSMem is how much memory the operating system requires to run (such as system binary images, data structures, and so on), SessionMem is how much memory processes running in one session require, and NS is the target number of active sessions. The amount of required memory for a session is mostly determined by the private memory reference set for applications and system processes that are running inside the session. Shared code or data pages have little effect because only one copy is present on the system.
One interesting observation (assuming the disk system that is backing up the page file does not change) is that the larger the number of concurrent active sessions the system plans to support, the bigger the per-session memory allocation must be. If the amount of memory that is allocated per session is not increased, the number of page faults that active sessions generate increases with the number of sessions, and these faults eventually overwhelm the I/O subsystem. By increasing the amount of memory that is allocated per session, the probability of incurring page faults decreases, which helps reduce the overall rate of page faults.
Storage is one of the most overlooked aspects when you configure an RD Session Host system, and it can be the most common limitation in systems that are deployed in the field.
The disk activity that is generated in a typical RD Session Host system affects the following areas:
System files and application binaries
User profiles and user data
Ideally, these areas should be backed up by distinct storage devices. Using striped RAID configurations or other types of high-performance storage further improves performance. We highly recommend that you use storage adapters with battery-backed write caching. Controllers with disk write caching offer improved support for synchronous write operations. Because all users have a separate hive, synchronous write operations are significantly more common on an RD Session Host system. Registry hives are periodically saved to disk by using synchronous write operations. To enable these optimizations, from the Disk Management console, open the Properties dialog box for the destination disk and, on the Policies tab, select the Enable write caching on the disk and Enable advanced performance check boxes.
For more specific storage tunings, see the guidelines in Performance Tuning for the Storage Subsystem earlier in this guide.
Network usage includes two main categories:
RD Session Host connections traffic in which usage is determined almost exclusively by the drawing patterns that are exhibited by the applications running inside the sessions and the redirected devices I/O traffic.
For example, applications handling text processing and data input consume bandwidth of approximately 10 to 100 kilobits per second, whereas rich graphics and video playback cause significant increases in bandwidth usage.
Back-end connections such as roaming profiles, application access to file shares, database servers, e-mail servers, and HTTP servers.
The volume and profile of network traffic is specific to each deployment.