cancel
Showing results for 
Search instead for 
Did you mean: 
wepct
Level 7
Report Inappropriate Content
Message 1 of 12

To index or not?

Comments on this forum and guidance in the Knowledgebase suggest that name indexing will boost performance considerably. We have around 12000 users in the object directory - should we turn on name indexing?

What kind of performance improvement could we expect, all things being equal?

Also, what are the disadvantages of indexing?
11 Replies
DLarson
Level 12
Report Inappropriate Content
Message 2 of 12

RE: To index or not?

Generally, it is a good practice to index databases over 10,000 users/nodes. However, you should see the big picture too. Is your database on direct-attached storage, how fast are the disks? Do you have overlapping database tasks like reports and backups running at the same time? Did you exclude your database directory from virus scanning? Did you make the recommended OS tweaks? Do you clear your user and machine audits on a schedule? If not, take a look at the attached best practices guide.

There are lots of ways you can increase performance; database indexing is just one of the options. Also, if you're trying to speed up the "search" functionality, database indexing will have no impact. The search does not make use of the index.

The only risk of indexing is that it is another thing that could become corrupted, so you have to be sure to clear/purge the index on a regular basis (preferrably daily).
Highlighted

RE: To index or not?

We only have 1500 users and 400 some devices currently but enabling database indexing made a huge difference in performance for our LDAP connector. Connector execution went from 20-30 minutes to 2 minutes.
wepct
Level 7
Report Inappropriate Content
Message 4 of 12

RE: To index or not?

The storage is directly attached SCSI disks in a RAID array. I have seen the attached guide and am checking through the items in the list to ensure that they are correctly configured, but my reading of the comments on this forum was that indexing would make a substantial difference, other things being equal. In fact, the guide says that "name indexing should be enabled on all databases especially those with over 1000 endpoints or users" so my view is that this should have been done from day 1.

Apart from the risk of corruption and the need to schedule a daily purge, are there any other disadvantages of indexing? And are there any guidelines as to how long a purge will take?

Also, if we ever need to drop and rebuild the index, is there a tool to do that? I'm browsing through the documents and haven't found one yet. What do you do if the index becomes corrupt?

Interesting comment about the LDAP Connector - the original performance issues were noted with the AD Connector.
Reliable Contributor SafeBoot
Reliable Contributor
Report Inappropriate Content
Message 5 of 12

RE: To index or not?

there's a script (toastcache) which will force an index rebuild, but it will rebuild periodically of its own volition - you get to set how long it lives for, but not when it rebuilds (hence the toast script).

the reason indexing speeds up the connectors is quite simple - duplicate checks don't have to trawl the db anymore, they can be performed on the (much!) smaller index.
mwilke
Level 7
Report Inappropriate Content
Message 6 of 12

RE: To index or not?

if anyone needs toastcache.bat file let me know... ill email it too you.

I would recommend this for ANY database regardless of size.
mrgui
Level 7
Report Inappropriate Content
Message 7 of 12

RE: To index or not?

We have been running SafeBoot DE/MEE for PC for almost 4 years and only needed to run toastcache a few times (5000+ machines). Daily seems a bit excessive.

The risk associated with having a scheduled toastcache event is that it has the ID/password of a privileged account in the script. This means that anyone with read permission to that script (or a backup copy of that script) could alter your encryption database contents/settings. This should be an acceptable risk if your server has restricted access and your automated backup copies are not recoverable by any backup system administrator.
mwalter
Level 7
Report Inappropriate Content
Message 8 of 12

RE: To index or not?



It doesn't need to be a very privileged account. ToastCache calls SbAdmCl getcounts and that seems to work fine using a user that has an admin level of 1 and with only a single admin right, namely users\administration.

Mike
Reliable Contributor SafeBoot
Reliable Contributor
Report Inappropriate Content
Message 9 of 12

RE: To index or not?

you don't have to put the password in the script, use an adminauth instead.

RE: To index or not?

So you can. Cool!

I'd still use a user with as few rights as possible though but we've already established that I'm paranoid 🙂

Mike
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community