Active Directory Stress Testing

As part of an upcoming virtualization project, we wanted to be able to determine how much memory we should allocate to our domain controllers if we will be running them in a virtual environment. To determine the requirements I wanted to stress test the domain controllers to see how they would perform with 2 GB of memory, 1 GB of memory and 512 MB of memory.

My first thoughts on this were to create a really intensive LDAP query and have it run from several systems in the environment. Luckily during my searches for how to do this type of a query I ran across the Active Directory Performance Testing Tool (adtest). Adtest is available for download at

http://www.microsoft.com/downloads/details.aspx?FamilyID=4814fe3f-92ce-4871-b8a4-99f98b3f4338&displaylang=en. This installs by default into \Program Files\Windows Resource Kits\Tools\ (in my case on a Vista 64 bit it’s in the x86 program files folder).

To test with this we built out a virtual environment. The domain controller (Windows 2003) was installed on a VMWare server, and the four client operating systems were installed in Virtual PC. To create this environment we took the following steps:

·       Within a Virtual environment, installed a domain controller in a test domain.

·       Within the Virtual environment (on a different Host system), installed four workstations and added the workstations to the domain.

·       Installed Adtest on the server and the workstations.

·       Performed the configurations identified in the document on the server (don’t skip this step/the documentation is long but very relevant for this).

Once the domain controller and the four client operating systems were installed and configured, the following steps were done to create the OU’s, Users, Groups, and to set passwords. (References to (pw) in the examples below should be replaced with the actual password)

·       Create OUs: On the server ran: adtest –r newroot –root 0 –t 20 –sf 0 –o newroot.log –user administrator –password (pw)

·       Create Users: On the server ran: adtest –r user –root 0 –t 20 –sf –o user.log –user administrator –password (pw)

·       The create users script generated 100,000 users with 5,000 of them per each of the 20 OUs created.

·       I had to increase the RID pool/it kept failing when adding users – see http://forums.techarena.in/showthread.php?t=21859 for details, but I had to comment out the “ATTR unicodePwd:$PassWord”  to get the user creation to work.

·       Set Passwords: To set passwords: adtest –r initpwd –root 0 –t 20 –sf –o user.log  –user administrator –password (pw)

·       Create Global Groups: To create global groups: adtest –r addacc –root 0  –t 20 –sf –o ggroups.log –user administrator –password (pw)

·       Add Users to Groups: To add users to global groups: adtest –r memacc –set GROUP=0 –root 0 –t 20 –sf –o user2groups.log –user administrator –password (pw)

Finally, the tests which were run on the client included the following:

·       On each client ran:  adtest –r L1 –V5  –user administrator –password (pw)

·       On each client ran:  adtest –r L1 –t20  –user administrator –password (pw)

·       On each client ran:  adtest –run inter –f adtest.ats –root 0 –t 20 –m –bt  –user administrator –password (pw) > logfile.txt

These tests were run on all four clients at the same time versus the domain controller which was initially installed with 2GB of memory.  The same test was run with 1GB of memory, and then with 512MB of memory. The log files contain a loop, failed, kernel mode time, user mode time, and op/sec fields. There is a file called adtest.mht which is part of the download and includes the syntax to use the tool as well as the explanation of the output file from ADTest.

The log files from each test were collected, and added to Excel as csv files. Then the results from the four clients were summarized when the domain controller was running at 2GB, 1GB and 512MB. My expectation was that we would have better overall performance of the stress test when the DC was running more memory. During the tests we validated that the client systems were not bottlenecked/were performing as expected. Tests also validated that we were not bottlenecking on the domain controller.

The results were not at all what I had expected. There was no noticeable change in the number of op/sec that could be accomplished on the four workstations during the stress testing period. While the memory utilization on the domain controller was just slightly above the 512MB of memory available for the system, there was no noticeable difference in performance (op/sec) between the same domain controller running with .5GB, 1GB and 2 GB of memory.

Testing Environment Summary: Windows 2003 domain controller running as a virtual within a VMWare Host system. Windows XP clients running in Virtual PC to stress test the domain controller. Stress testing was done using ADTest with the commands listed above and using 100,000 ADTest created users.

Summary: There was no noticeable statistical difference in performance found when stress testing a Windows 2003 domain controller with .5GB, 1 GB and 2 GB of memory. At least when running domain controllers in a virtual we will not be adding more memory in an attempt to increase domain controller performance.