Had an e-mail thread with Joe recently, which also resulted in this blog entry. He's a consultant for another big tech company, and was working with a customer that was migrating a lot of non-domain joined machines to AD as well as deploying other AD aware applications. The net result though, is that he was in the unenviable position of having no performance baseline to go off of, and a bunch of customers asking how many 64-bit domain controllers they needed to buy. And therein lies the problem, there just aren't that many 64-bit DC's deployed out there (yet), so if you're starting from scratch, where do you start?
Well, to make a long story short (too late), a few e-mail back and forth later and I fired off some of the stats that we use internally here at Microsoft. In the spirit of copy/paste, here's the mail I sent (slightly edited to protect the innocent), if you don't have anything else to go on or just want some general reference...then you can use this.
REMEMBER - "IT DEPENDS" and "YOUR MILEAGE WILL VARY"
From: Brian Puhl [mailto:Brian.Puhl@microsoft.com]
Sent: Wednesday, September 06, 2006 6:11 PM
Subject: RE: Ping...
Well, like you said, “it depends” and “your mileage WILL vary.”
It’s tough, because we don’t plan based on numbers of users, workstations, or anything like that… We base capacity on performance trends, which I realize is ultimately where you’re trying to get <customer> to… So instead, here are some details from our Redmond domain. These are live numbers, which you can use to approximate. Remember that MS is probably a higher utilization environment than <customer>, so you can use these to build a deployment plan with the expectation that you could end up slightly over capacity.
99%+ of the users are in a single AD site, so assume that this is all for a single site.
49K user accounts (includes service accounts, etc…)
160K computer accounts
17 DC’s for authentication load, app’s – everything but exchange
5 DC’s in a separate dedicated Exchange site, shielded from auth load
Typical auth DC spec
4 x 2.2GHz AMD64
16GB RAM (12 GB dit file)
2 or 4 spindles (0+1) for OS and logs
6 spindles (0+1) for dit, backup, and sysvol
Typical load profile (randomly picked a DC and pulled open perfmon while I’m typing this mail) – see note below
Ave CPU – 55%
Ave Disk Queue – 0.1
Server Sessions – 585
NTLM Auths – 215
Kerb Auths – 92
DS Client Binds/Sec – 44
Gigabit NIC card
NIC Output Queue – 0
Major thing to note about the perf data – We’ve got 3 DC’s offline at the moment due to dogfooding, so this perf load would be with 14 DC’s online. Our target utilization is 20-40% sustained peak CPU.
Also, based on our experience, we’re rarely NIC bound. When we see overloaded DC’s, they typically tend to be disk bound or processor bound. Even when we had x86 with 4GB of RAM, the memory pressure just translated into disk queues, so when you’re spec’ing out your servers I would be least concerned about the connectivity. You probably also noticed in the whitepaper that x64 doesn’t give you a whole lot of benefit in a pure auth environment. These operations tend to be disk bound even in a 64-bit OS.
I think you’re hoping for a “5000-10000 user” type answer, but even if I gave you a completely wild guess, It would probably do more harm than good in your conversations with the customer.
Does this give you a better idea? Are there other details that would help you make a better guess?
The whitepaper that I referred to is the Active Directory 64-bit Performance Comparison paper, located here.