7

I'm implementing a tool which secures certain shared resources within AD forest (mostly file shares). By some criteria a list of users from different domains is generated, those users are added to a universal group (because I need to gather users from different domains in a single group) and then that universal group is added to a shared resource ACL.

The forest has roughly 10 000 users, I think my universal groups will end up having up to 2000 users in each. And there might be up to several thousand those groups.

Everything looks good and works in test environment.

The problem is that there is an MS article on groups best practices: http://technet.microsoft.com/en-us/library/cc787646(v=ws.10).aspx

Almost the same is written here: http://ss64.com/nt/syntax-groups.html

In "Best practices for controlling access to shared resources across domains" section it reads that I should create domain local groups and nest global/universal groups in it. I understand that there is an administrative benefit in it, easier management, visibility, etc

But I'm doing everything automated and my tool will watch for the right security by itself.

Some our IT consultants try to persuade me that not following that best practice may also result in poor performance.

So basically the question is: Can there be a performance (it means time required to logon, to secure a directory, etc) impact if I add universal groups directly on the shared resource instead of nesting universal group in a domain local group?

Thanks in advance.

UPDATE:

There is also one restriction regarding nesting groups. (http://support.microsoft.com/kb/328889) There is a limit of 1015 user's groups. So In case of nesting universal groups into domain local groups I get ~ 500 limit, which seems like a painful restriction.

UPDATE2: Regarding my forest topology. I have 6 domains, grouped into 2 trees. (Tree consists of a root domain, and two child domains)

Aides
  • 171
  • 1
  • 4

2 Answers2

8

Here is Microsoft's statement regarding Universal Groups. Especially the bolded part pertains to you:

Universal groups can be used anywhere in the same Windows forest. They are only available in a Native-mode enterprise. Universal groups may be an easier approach for some administrators because there are no intrinsic limitations on their use. Users can be directly assigned to Universal groups, they can be nested, and they can be used directly with access-control lists to denote access permissions in any domain in the enterprise.

Universal groups are stored in the global catalog (GC); this means that all changes made to these groups engender replication to all global catalog servers in the entire enterprise. Changes to universal groups must therefore be made only after a careful examination of the benefits of universal groups as compared to the cost of the increased global catalog replication load. If an organization has but a single, well-connected LAN, no performance degradation should be experienced, while widely dispersed sites might experience a significant impact. Typically, organizations using WANs should use Universal groups only for relatively static groups in which memberships change rarely.

The performance impact should be rather minimal in a well-connected environment where everyone has access to global catalogs.

The performance impact will be increased time to log in and increased time to evaluate ACLs on resources if a global catalog cannot be reached, or if your Sites & Subnets are misconfigured so that you find yourself communicating with global catalog servers outside of your own site. Also, there will be increased global catalog replication load.

However, I'm obliged to once again inform you that what you're doing is against commonly-accepted best practices.

This part of what you said: "... and my tool will watch for the right security by itself." That also scares me.

So I'm on the side of your IT consultants and I think they are doing their jobs by trying to persuade you to follow commonly-accepted best practices in terms of AD design.

But there's the answer to your question regardless.

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
  • Thanks for your answer! I agree regarding replication traffic and I guess this is a price of having the ability to store users from different domains in a _single_ group. And I think nesting universal group inside a domain local won't save me from increased replication traffic. Could you please clarify if I am missing something? – Aides Sep 13 '13 at 14:07
  • Your plan will work. Just remember that global catalogs are extremely important to you. Another quote from Microsoft: *"In a multidomain forest, when a user logs on to a domain, a global catalog server must be contacted to determine the universal group memberships of the user."* We know nothing of the rest of your AD topology, but I hope all your DCs are GCs and that all your clients are well-connected to those DCs. Or else yes you will experience slow logons and resource access. – Ryan Ries Sep 13 '13 at 14:18
  • I have 6 domains (grouped into two trees within a forest), all have at least one DC with GC. I will make an update in the question. I will vote your answer up, as it made me rethink what I am doing, and it seems that I'm still on the right way. Though still I really need justifications for nesting Universal Group into Domain groups, as I really could not find any so far. – Aides Sep 13 '13 at 14:26
  • The benefit you get in nesting groups is that every change you make to the domain local group doesn't cause the ripple of GC replication that making changes directly to universal groups does. – Ryan Ries Sep 13 '13 at 14:41
2

Going way back, one potential performance scenario was the group membership replication used to be much worse prior to Windows Server 2003, and can still perform poorly with old groups with legacy members created before Windows Server 2003.

Prior to Windows Server 2003, anytime a Global/Universal group membership was changed, the entire group member attribute was replicated. This had serious replication performance implications in large, distributed directories, particularly with Universal groups with many members. Therefore, in large, multi-domain directories, it was common practice to have Global security groups in each domain added to a Universal group. This had the effect of partitioning the membership replication to within the domain itself.

Windows Server 2003 introduced Linked Value Replication (LVR). That fixed a lot of those issues for newly-created groups, and groups whose legacy members were converted, because only the individual "linked values" (members) are replicated when a change (add/remove member) occurs.

Another potential issue was the total number of members. If you have more users that you have, say 50,000, and 40,000 need to be in a security group, it was common practice to limit the number of members per group to less than 5,000, due to that is the maximum number of items that can be safely committed in a single, atomic, Active Directory transaction. However, with an LVR group, updates to a group with large memberships no longer require sending the entire membership, so that typically is no longer an issue, as long as you don't yourself perform that many updates (adds/removes) in a single transaction.

That being said, it is still a good practice for large groups in multi-domain forests to have domain-specific security groups that are added as members to a single Universal security group, which resides typically in a resource domain. Whether you use that Universal group to ACL a resource, or add the Universal Group to a Domain Local group is up to you. In practice, I haven't seen that many issues with using Universal Groups, performance or otherwise. Note that access to a Global Catalog should rarely be an issue, as Microsoft has long recommended that all domain controllers be Global Catalogs. It's not uncommon to find large directories created before Domain Local groups were around that haven't converted any of their groups or their strategy to use Domain Local groups.

Some reasons Domain Local groups are recommended by Microsoft because they provide the greatest flexibility in the types of members that can be added to the group, and level of discretionary control for the Domain Admins. It also provides a means to minimize group membership replication:

Global catalog replication
http://technet.microsoft.com/en-us/library/cc759007%28v=ws.10%29.aspx

"Groups with universal scope, and their members, are listed exclusively in the global catalog. Groups with global or domain local scope are also listed in the global catalog, but their members are not. This reduces the size of the global catalog and the replication traffic associated with keeping the global catalog up to date. You can improve network performance by using groups with global or domain local scope for directory objects that will change frequently."

You should also never use Domain Local groups to ACL objects in Active Directory:

"When a user connects to a global catalog and tries to access an object, an access check is performed based on the user's token and the object's DACL. Any permissions specified in the object's DACL for domain local groups that are not from the domain that the domain controller hosting the global catalog (to which the user has connected) belongs to, will be ineffective because only domain local groups from the global catalog's domain of which the user is a member are represented in the user's access token. As a result, a user may be denied access when access should have been granted, or allowed access when access should have been denied.

"As a best practice, you should avoid using domain local groups when assigning permissions on Active Directory objects, or be aware of the implications if you do use them."

Greg Askew
  • 35,880
  • 5
  • 54
  • 82