2 Replies Latest reply on May 6, 2010 6:54 PM by SafeBoot

    Efficient way to create and maintain AD Connector

      Hi folks,

       

      We deployed EEPC 5.3 to over 800 endpoints and we are currently in a 'stable' phase with very few password reset requests. Since most the current deployment were based on many endpoints shared by many user scenario so, we had to increase SBFS and prepopulate large user groups. However, now we are going to do an enterprise deployment for several thousands of laptops. We will be using the AutoDomain script to search for cached users and add to specific machine property. My question is two folds:

       

      1) In my current deployment, I had to create AD connector. In the connector I'm pulling multiple user groups with search criteria like CN=FinanceBA,OU=Groups,OU=Accounts,DC=corporate,DC=abc,DC=com

      CN=HRCorp,OU=Groups,OU=Accounts,DC=corporate,DC=abc,DC=com

      CN=TechSupportUS,OU=Groups,OU=Accounts,DC=corporate,DC=abc,DC=com

      etc.,

       

      This worked fine for a small group of users. Now, that we are planning  to rollout for the entire enterprise

      • How do i create AD connector to have a balance between performance (esp. Sync time) and functionality (AD updates synched without errors)?
      • Can I search for "All the domain users" and populate EEM? I do not think that would be good idea, but still want to check with you folks
      • If there are say 1500 AD groups, I cannot possibly imagine adding so many search criteria. So how you guys optimally create search criteria in your McAfee AD connectors?
      • Do any of you have problems handling backup of Object Directory with multiple thousands of users populated. After we start populating the EEM with loads of 1000s of users, I feel our Object Directory Backup is going to have performance issues.

       

       

      Any response or best practices would highly help.

        • 1. Re: Efficient way to create and maintain AD Connector

          best practice is a discussion you should have with McAfee Prof Services, but the connector should be quite happy with thousands of users - if it's taking a long time, be sure that you have performance tuned your db - name index is turned on and working etc.

           

          re how to make it work though, the answers are very different depending on what portion of your AD you need to sync - if it's 80% plus, it's easier to use group mapping logic to skip the users you don't care about and get the connector to look at them all. If it's 20%, then you need to use some search limitations, either a base search, or search groups.

           

          You can get the connector to see all users just by leaving search groups empty, and using a vanilla base search.

          • 2. Re: Efficient way to create and maintain AD Connector

            AD design reflects here.

            You do not have to list every minor branch of your AD tree. Just focus on major trunks.

            So have users grouped by major criteria, like country, or major department or operation company or geografic location.

            You should not have too many trunks in that tree.

             

            But for performance it is not how many filters (search groups) you have, its the total amount of accounts that need to be synced, what matters.

            Both EEPC users and AD users. Those two populations might get vastly different if you do not cleanup frequently enough.