The problem first presented itself as latency in responses from the domain controllers (DCs) to the Exchange servers and Outlook clients, resulting in slow responses in the Outlook client, delays in receiving new e-mail messages, etc. Upon closer inspection, we determined that the problem was excessive CPU utilization on the DCs. As we examined the DCs more closely, we then determined that traffic from the customer’s UNIX servers were driving up the CPU usage on the DCs.
After a great deal of troubleshooting and a lengthy call to Quest Technical Support, it was determined that the key problem was the length of the LDAP queries that were being performed—some taking up to 3 or 4 seconds for a single query. The underlying cause of this delay was thought to be the Active Directory attribute selected as the user login attribute. In this case, the customer had selected UID (an attribute added by the VAS schema extension) as the user login attribute. Unfortunately, UID is an attribute that is not indexed in Active Directory, and it is believed that this is the key problem in the delays of the queries and the excessive CPU utilization caused by the queries. The fix is simply to index this attribute, a change that can be made relatively easily via the Schema Management snap-in.
<aside>The default user login attribute for VAS is the user principal name (UPN), which is an indexed attribute. If the VAS installation is going to use a non-indexed attribute as the user login attribute, however, you could see the same kinds of excessive delays and CPU usage.</aside>
Before the customer puts this change (indexing the UID attribute) into production, we’re going to test the change in a development environment and try to see if this addresses some of the symptoms. Once the results of the testing are available, I’ll post an update here.
UPDATE: Testing in lab today with the customer showed a definite, marked, and quite noticeable improvement in query performance after indexing the uID attribute in Active Directory. This improvement in performance was repeatable as well; when we removed the index for uID, the delays and increased CPU utilization returned immediately. So, make sure the user logon attribute in your VAS deployments is indexed in Active Directory.
Tags: ActiveDirectory, Interoperability, LDAP, Microsoft, UNIX
5 comments
Thursday, August 10, 2006 at 12:42 am
Jake Summers
Scott - out of curiousity, have you tried Centrify’s product, http://www.centrify.com, which is really a superset of what the VAS offers? Thanks, Jake
Thursday, August 10, 2006 at 8:26 am
slowe
Jake,
No, I have not had the opportunity to use the Centrify products. My own personal opinion of the VAS product, thus far, is that they have (by and large) simply packaged existing open source solutions together with some handy command line tools. I could be way off there; I’ll certainly be the first to admit that. What’s your experience with the Centrify products?
Friday, August 11, 2006 at 1:35 am
Jake Summers
Centrify is clearly not a packaging of open source solutions, it is in effect an “Active Directory client” for UNIX. Some of the things we like about it that I believe is unique to the Centrify solution is Mac support (including group policies for Mac), their Zoning technology that provides granular levels of access control, and it is much easier to license in terms of deploying license keys (centralized vs. on a machine-by-machine basis) and not having to pay for users — it licenses on a per system basis. thanks, jake
Friday, August 11, 2006 at 2:56 pm
slowe
Thanks for the information, Jake. Pardon me for asking, but do you work for Centrify, or are you just a big fan of their products?
Saturday, August 12, 2006 at 12:42 am
Jake Summers
Yes I know folks that work there and have become a fan. Cheerio and signing off… Jake