Recently did some digging for a customer and here are some of the questions and answers that I came up with, as well as info and articles to give more background.
Can we prove that setting the MaxConcurrentAPI to 10 is enough for long term performance? What can we monitor to insure we are not surprised or can be proactive in resolution?
I would take this as a 2 step approach, and the first is to figure what the theoretical value should be for each server and you can do this by following the steps in this article http://support.microsoft.com/kb/2688798, you will first have to gather the performance counter information and then calculate the optimal value for each server. Then using the performance counters Semaphore Holders and Semaphore Hold Time monitor them while the server is underload (Probably be best if you monitor them for a couple of days on regular basis). If they are blank then you have configured settings correctly, if they have a value to them then you need to troubleshoot Netlogon and review the Architecture/Servers
NOTE: If running Windows 2003 you need to first install this hotfix http://support.microsoft.com/kb/928576
What other servers should we add the MaxConcurrentAPI to?
Using the NetLogon Performance counters listed in this article http://support.microsoft.com/kb/2688798 review all SharePoint Servers and all Domain Controllers for domains that are used for authentication in SharePoint, any server where the counters Semaphore Holders and Semaphore Hold Time have a value greater than 0 you will want to find the optimal value using the same article and then set MaxConcurrentAPI
Should we bring the setting to the same across the board or can we have different settings on the servers?
No you should not set the same value to each server, this value should be optimized per server.
"One size does not fit all. The MaxConcurrentApi value may have to be a different value for each server. This situation can be caused by multiple application servers gaining authentication from a single domain controller or by similar scenarios in which multiple servers provide a larger volume of load with which the domain controller must deal. "
Please let me know if you have any questions or comments at anytime.
As well here is some good points that we may want to look at following up on from a PFE Chris Gideon (http://blogs.msdn.com/b/cgideon/), I would be happy to discuss any of these point at any time.
- Consider creating an Active Directory site just for the SharePoint boxes (if in the same forest) and add GC’s for each domain going against SharePoint.
- Make certain that the DC/GC’s are physically as close (high speed links) as possible to the SharePoint boxes.
- If possible make all DC’s GC’s if in Native Mode.
- Hard set NIC’s and Switches Speed and duplex settings to avoid loss of connecting during auto negotiate.
- Check with your switch vendor on the settings for spanning tree to avoid Secure Channel drops. Most vendors have an option to keep this from happening while still benefiting from Spanning Tree.
- Increase MaxConcurrentApi and profile DC/GC (for domains in play) with SPA to see if they can handle the load. Make certain to do this on the SharePoint servers and DC/GC for all domains in play.
- Monitor Secure Channels with NLTest.exe after patches that cause a reboot to ensure that secure channels don’t float to slow link DC/GCs.
- For extreme performance consider the use of x64 DC/GCs. See the impressive results here.
- If possible change to Kerberos authentication.
As well here is some general info that I found while doing my research
Specifies the maximum number of simultaneous, logon-related, application programming interface (API) calls that can be transmitted across a secure channel at any one time. API calls can be transmitted concurrently only on secure channels that are digitally signed or encrypted. The default value is optimal for most installations, but you can add this entry to the registry to increase its value. Increasing this value can improve efficiency. However, larger values can exhaust the resources of the domain controller communicating on the secure channel.
0 = One call at a time on member workstations and domain controllers, and two concurrent calls on member servers.
1 - 10 = Number of concurrent calls. This limit applies to workstations, domain controllers, and servers of Windows 2003 family.
1 – 150 = Number of concurrent calls. This limit applies to workstations, domain controllers, and servers of Windows 2008 family.