/
At the start of the directory project, Jeyarajan and the TDSB IT staff of eight immediately began addressing how they would consolidate eight networks - six based on NT, one an NT-Novell NetWare hybrid and one a pure NetWare.
They decided to build a network-centric model, aggregating everything into one location and delivering services through the net. With help from Dell Technology Consulting, the board first decided to build an NT 4.0 network. But after further investigation, the TDSB discovered NT 4.0 couldn't meet its needs.
"We wanted to leave some of the administrative functions with the teachers, such as changing passwords and adding and deleting users, without the complexity of giving them full administrative rights," Jeyarajan says. "We also wanted a hierarchical view of network security."
Dell consultants then proposed using Win 2000 and Active Directory. With some initial reluctance to adopt an unproven technology, the TDSB agreed.
The board's design centralized Active Directory into a single metropolitan data center built on top of powerful servers and connected to users through an existing high-bandwidth fiber network. The network-centric design obviated the need to replicate the directory outside the data center.
The directory is constructed on three servers - Dell 6350 machines with four-way processors, 1G byte of RAM and three hard drives of 18G bytes each. The three servers, which serve as a single logical directory, are linked through a Cisco 6509 switch on a Gigabit Ethernet backbone with a 100M-byte back-up link.
"Each server has three partitions - the operating system, the Active Directory database and the log," says Ray Weinstein, a senior consultant for Dell Technology Services. "With those three things separated, we see a threefold boost in performance in Active Directory."
The three physical boxes ensure that the TDSB will have at least two servers always running. In case of catastrophe, the directory data is backed up to tape.
The TDSB has extensively tested the capacity of Active Directory running on this particular server configuration, including successfully executing 11,000 batch logons per second and 12,000 interactive logons per second per domain controller.
"We are reasonably comfortable we can handle the loads. Some of the CPU cycles are less than 10% [of capacity] on the three servers," Jeyarajan says. And the administrative load is also light, as the TDSB needs only two directory administrators.
After centrally deploying Active Directory, the other key was the high-speed net. The board took advantage of a fiber-based net under construction to deliver multimedia, e-learning and a virtual school environment.
Each school is wired with 10M-byte switched Ethernet to the desktop and a 100M-byte switched Ethernet backbone. Each school's backbone has a 100M-byte connection to a midlevel central office. The TDSB has 28 midlevel central offices, which aggregate connections from an average of 20 to 30 schools each. Each of the 28 central offices has a 100M-byte route switched module that produces an OC-3 ATM interface and routes traffic over a SONET ring to a top-level central office, which is an aggregation point for the 28 offices.
The board is currently adding another top-level central office to provide fault tolerance. The top-level central office is connected to the board's Active Directory data center over an OC-3 link, which will eventually be converted to a Gigabit Ethernet pipe.
But with so much traffic feeding into the data center, the TDSB plans to deploy technology behind Active Directory that will let the directory off-load work and improve performance.
"We are thinking of using our storage-area network [SAN] fabric so we can download some things to the storage area so the intelligence will not be handled at the operating system level but by the storage area fabric," Jeyarajan says. The SAN holds 22 terabytes of data.
From the past six months, ranked in order of relevancy.
Scaling Active Directory
Toronto school board is pushing Microsoft's directory to accommodate 350,000 users.
 
|
|||
 | |||
|
By JOHN FONTANA
Network World, 06/19/00
The Toronto District School Board (TDSB) likely won't generate interest from large companies over how it makes the Reader Rabbit educational application available on its network, but the board is certain to draw stares over how it has come within a hare's breath of supporting 350,000 users in its Windows 2000-based directory.
Why so big?
The TDSB is a consolidation of eight boards that once governed all Toronto schools. The TDSB, which has a $2 billion annual budget, needs its directory to scale to handle its ongoing merger.At the start of the directory project, Jeyarajan and the TDSB IT staff of eight immediately began addressing how they would consolidate eight networks - six based on NT, one an NT-Novell NetWare hybrid and one a pure NetWare.
They decided to build a network-centric model, aggregating everything into one location and delivering services through the net. With help from Dell Technology Consulting, the board first decided to build an NT 4.0 network. But after further investigation, the TDSB discovered NT 4.0 couldn't meet its needs.
"We wanted to leave some of the administrative functions with the teachers, such as changing passwords and adding and deleting users, without the complexity of giving them full administrative rights," Jeyarajan says. "We also wanted a hierarchical view of network security."
Dell consultants then proposed using Win 2000 and Active Directory. With some initial reluctance to adopt an unproven technology, the TDSB agreed.
The board's design centralized Active Directory into a single metropolitan data center built on top of powerful servers and connected to users through an existing high-bandwidth fiber network. The network-centric design obviated the need to replicate the directory outside the data center.
The directory is constructed on three servers - Dell 6350 machines with four-way processors, 1G byte of RAM and three hard drives of 18G bytes each. The three servers, which serve as a single logical directory, are linked through a Cisco 6509 switch on a Gigabit Ethernet backbone with a 100M-byte back-up link.
"Each server has three partitions - the operating system, the Active Directory database and the log," says Ray Weinstein, a senior consultant for Dell Technology Services. "With those three things separated, we see a threefold boost in performance in Active Directory."
The three physical boxes ensure that the TDSB will have at least two servers always running. In case of catastrophe, the directory data is backed up to tape.
The TDSB has extensively tested the capacity of Active Directory running on this particular server configuration, including successfully executing 11,000 batch logons per second and 12,000 interactive logons per second per domain controller.
"We are reasonably comfortable we can handle the loads. Some of the CPU cycles are less than 10% [of capacity] on the three servers," Jeyarajan says. And the administrative load is also light, as the TDSB needs only two directory administrators.
After centrally deploying Active Directory, the other key was the high-speed net. The board took advantage of a fiber-based net under construction to deliver multimedia, e-learning and a virtual school environment.
Each school is wired with 10M-byte switched Ethernet to the desktop and a 100M-byte switched Ethernet backbone. Each school's backbone has a 100M-byte connection to a midlevel central office. The TDSB has 28 midlevel central offices, which aggregate connections from an average of 20 to 30 schools each. Each of the 28 central offices has a 100M-byte route switched module that produces an OC-3 ATM interface and routes traffic over a SONET ring to a top-level central office, which is an aggregation point for the 28 offices.
The board is currently adding another top-level central office to provide fault tolerance. The top-level central office is connected to the board's Active Directory data center over an OC-3 link, which will eventually be converted to a Gigabit Ethernet pipe.
But with so much traffic feeding into the data center, the TDSB plans to deploy technology behind Active Directory that will let the directory off-load work and improve performance.
"We are thinking of using our storage-area network [SAN] fabric so we can download some things to the storage area so the intelligence will not be handled at the operating system level but by the storage area fabric," Jeyarajan says. The SAN holds 22 terabytes of data.
If you build it . . .
The TDSB knew the hardware and the network were good starts, but the board needed a directory design to match the goals that led it to deploy the directory - centralized network services and fine-tuned delegation of administrative responsibility. To do that, the design has all users log on through the directory to locate services such as file and print, Internet and intranet access, e-mail, databases and more than 2,000 applications, including educational software such as The Learning Center's Reader Rabbit. The directory also provides the ability to restrict teachers to only the few administrative rights they need for locally managing students and print queues. The directory is built as a single forest with a single domain. It is three levels deep, with 12 organizational units one level below the top-level root domain. The organizational units include administrative, group and school units. On the third level, there are 610 organizational units, including one for each school and one for staff. The TDSB has created a flat directory, as opposed to a hierarchical structure, because Dell's best-practice model shows it provides flexibility, easier management and less complexity. The TDSB will eventually add complexity by moving to a seven-layer hierarchical structure within the organizational units, which will allow for more efficient administration. "The hierarchy will allow us to break the schools down by grade and assign teachers or break them down by departments and assign grade levels," Jeyarajan says. Jeyarajan is confident his massively scaled Active Directory will hold up, but he's been around enough network projects to demand absolute proof. In the end, however, he doesn't doubt Active Directory will be the core of a centralized network that roughly 330,000 users will pass through to get their network services and hopefully, for some of those users, a high-performance springboard into Reader Rabbit. Related linksContact Senior Editor John Fontana
Other recent articles by Fontana
Expanding on NDS
True North Communications taps Novell's NDS eDirectory for widespread scalability features.
Directories research page
Articles, primers and lots of useful info on NDS and ADS
From the past six months, ranked in order of relevancy.
