I previously mentioned that you should index the objectclass attribute if you haven’t done so.
My friend ~Eric called me out on it and said the logic given was poor.
He is correct, the logic I stated isn’t the greatest and could theoretically be used to justify indexing any attribute.
It is my bad, I tried to shoot off a quick post in response to emails I was receiving.
I should say that indexing objectclass is something that I have found to be of value for every AD I have looked at. These are usually large deployments running Exchange with apps that were likely ported from other directories, etc. Lots, I mean LOTS, of applications have very bad or inefficient queries and indexing objectclass can often help these because objectclass is very often used for queries. And often indexed in other directories.
The “proper” way to determine if objectclass should be indexed would be to look at all of the queries hitting your DCs or at least the DCs taking on a majority of the query load. This can be done with event tracing or by cranking up inefficient query logging. These aren’t things that most admins have any knowledge of from my experience. Plus they aren’t the easiest to deal with. This means it isn’t often likely it will be getting done. Heck, people still aren’t using STATS for checking individual LDAP queries very often and I have made that extremely easy to do in ADFIND (-stats, -stats+, -statsonly, -stats+only).
Barring specific knowledge of the specific directory in front of you pointing to the contrary I would say that it is extremely likely that indexing objectclass will be beneficial to you. This is entirely my opinion based on my experience with various AD Deployments. Please do not take the “just do it” mentality as a reason to index everything, you will probably break something.
I would wonder if the MS AD has objectclass indexed. I once saw a note written by Don Hatcherl who is one of the best AD resources anywhere that objectclass probably should have been indexed when W2K was released. Additionally, objectclass may or may not be indexed in the next rev of the Server OS.
On top of that, even MS can give out bad information in terms of building queries against Active Directory by suggesting you to use inefficient queries. If you google the support.microsoft.com site for objectclass you will almost certainly find multiple documents that recommend a query that is a subtree query and doesn’t specify any indexed attributes (or specifies them by accident) all of which could quickly be fixed by indexing objectclass. These articles are the examples people use for writing their own scripts and programs so take whatever you see on the MS site and figure that is the most common ways being followed by third parties. My debugging of many third party apps lends great credibility to that idea. I am NOT surprised when I break apart an app with network tracing or whatever and see bad queries, it is very normal, even from companies you would expect to know better including Microsoft themselves. Most of those queries are tested in small environments where they work great and then thrown onto the unsuspecting masses. It is even worse if MS doesn’t have examples, then people go off and do whatever they can figure out that will work.
So I repeat, index objectclass. Just do it. 🙂
I would agree that we should have more seriously entertained doing this out of the box. The goal of the out of the box set of indexes should be to service the typical AD workload well. In this way, indexing objectClass likely fits the mold. This is being at least entertained for LH, I dont’ know if we have closed on this point yet.
That said, it does not change the analysis I would recommend. The problem with such recommendations is that at some point, you are indexing the world. If you want to tweak indexes, I still recommend doing the analysis before pulling the trigger. You can have too much of a good thing. 🙂
I completely agree.