64bit-only Windows Server is good for Active Directory
A while ago Microsoft announced to make the release of Windows Server 2008 R2 and further Windows Server releases 64bit-only. (both x86-64 and IA64) Windows Server 2008 R2 Server Core is even the first Microsoft Windows Server to optionally include 32bit support…
Most systems administrators have no problem with Microsoft going 64bit-only. These are probably systems administrators with Exchange Server 2007 in their production environments anyway… Some systems administrators however feel they are forced to switch to 64bit Windows Server Operating Systems without a reason and without a choice.
My answer to these people is to investigate the issue and to make an inventory of possible problems when switching from a 32bit Windows Server Operating System to a 64bit Windows Server Operating System.
Benefits of 64bit Domain Controllers
The whitepaper titled “Active Directory Performance for 64-bit Versions of Windows Server 2003” explains how an Active Directory Domain Controller on Windows Server 2003 SP1 x64 outperforms an Active Directory Domain Controller on Windows Server 2003 SP1 on the same hardware.
In the whitepaper two different tests are explained. The first test uses an Active Directory Database with 100.000 users, added to groups. This database can be stored in RAM on both the 32bit and 64bit version of Windows Server, since it’s less than 2,75GB in size. The other test uses a database that is only cacheable in RAM on a 64bit version of Windows Server with 32GB RAM. This database is larger than 2.75GB (roughly 24GB) and holds 3 million user objects.
The differences for logons and binds for the first tests are not shocking. The 64bit Domain Controller outperforms the 32bit Domain Controller, but these differences are hardly noticeable in real life situations. In the second test the differences are huge: The 64bit Domain Controller achieves operations/sec scores that blow the operations/sec of the 32bit Domain Controller away!
When deploying a new Domain Controller it’s important to know what size the Active Directory Database will be. You can use the Active Directory Sizer tool for this purpose.
This tool takes into account whether you’re utilizing DNS Server and/or Exchange Server, serving up other objects and/or attributes.
I’ve talked about this a couple of times: Active Directory uses a scale-out instead of a scale-up model. When your Active Directory database reaches a certain size, it’s time to add memory on all your Domain Controllers. When your 32bit Domain Controllers are already stuffed with RAM, it’s going to be hard to add RAM or make efficient use of your RAM. On a 32bit system a single process can only use up to 4GB op memory. Adding memory beyond a certain point (using PAE) won’t benefit the performance of a 32bit Domain Controller, since lsass.exe won’t be able to use more than 4GB of RAM.
In more recent versions of Windows 64bit versions require digitally signed drivers.
Drivers that are Windows Hardware Quality Labs (WHQL)-certified are known as signed drivers. Since signed drivers have completed WHQL Testing, chances are these drivers are a better quality, compared to unsigned drivers and thus will result in less driver problems, like stop errors. (or Blue Screens of Death, BSoDs, like some people refer to them passionately)
Hardware with signed drivers achieve the Certified for Windows logo. You can check whether the hardware for your server is certified, using the Windows Server Catalog.
Drawbacks of 64bit Domain Controllers
64bit hardware needed
To run a 64bit version of Windows you’ll need a 64bit-capable processor.
Luckily Intel and AMD sell these processors for years already. Server manufacturers like HP, IBM and Dell have put these processors in their server models for years. It’s hard to find a server with a valid support contract that isn’t equipped with a 64bit-capable processor.
You can use the SecurAble tool from GRC on a previously installed Windows Operating System to determine whether the processor is a 64bit-capable processor. When you know the processor is an AMD processor use the AMD Virtualization Technology and Microsoft Hyper-V System Compatibility Check Utility tool for acurate results. For Intel processors use the Intel Processor Identification Utility.
Signed drivers needed
While signed drivers are a blessing, they can make you go crazy, when the manufacturer of your hardware doesn’t provide any. This is true in situations where the hardware is of an indistinctive make (I usually refer to this is pokkiewokkie or hakkietakkie hardware, although white-box hardware is also pretty descriptive) or when a new version of a Microsoft Operating System has just been released.
Slower 32bit applications
While device drivers need to be 64bit drivers, applications can still be 32bit native applications. Microsoft uses Windows on Windows (WoW) to make 32bit applications run. These 32-bit applications by default use Protected Mode (which means they don't attempt to make direct hardware or memory calls) most 32bit application can be run in 64-bit Operating Systems. There are exceptions. 32bit applications on WoW typically run slower than 32bit applications on a 32bit Windows installations, albeit mostly unnoticeable.
A lot of applications however you use on your servers may be 32bit applications. These applications may include anti-malware programs, backup software, UPS software, Archiving tools and management add-ons.
No 16bit support
Windows on Windows (WoW) offers backward compatibility with one previous architecture only. Windows on Windows in 32-bit Operating Systems can run (some) 16-bit applications and Windows on Windows in 64-bit Operating Systems can run 32-bit applications. The drawback is you cannot run any 16-bit applications on Microsoft's 64-bit Operating Systems.
Known problems transitioning and upgrading
No in-place upgrades between architectures
When you have Domain Controllers running a 32bit version of Windows Server, you can’t upgrade them in-place to a 64bit version of Windows Server. Microsoft does not offer cross-architecture in-place upgrades.
This means you’re stuck with transitioning or restructuring your Active Directory topology.
- Transitioning means adding 64bit Windows Server Domain Controllers to your existing Active Directory environment. After successfully moving the Flexible Single Master Operations (FSMO) roles you can simply demote the previous Domain Controllers, remove them from the domain and throw them out of the window. Transitioning is possible for Active Directory environments which domain functional level is at least Windows 2000 Native.
- Restructuring is the process of moving from 32bit Domain Controllers to 64bit Domain Controllers. This involves moving all your resources (servers, workstations, printers, user accounts) from one domain to a new and fresh domain. Using tools like the Active Directory Migration Tool (ADMT) are priceless in these kind of migrations.
32bit media needed to perform preparations
When transitioning from 32bit Domain Controllers to 64bit Domain Controllers of a newer Windows version you need to prepare the Active Directory schema. This action needs to be performed on the current 32bit Domain Controllers holding specific roles, using the tools in the adprep folder from the media of the newer Windows version.
Since the 64bit media only contain 64bit versions of the Operating System and corresponding tools you can’t use the tools from the media of the newer Windows version. In this case you need to get hold of a 32bit media of the Operating System.
Luckily in these scenarios you can use trial media. These are downloadable from the Microsoft website at no charge.
Starting with Windows Server 2008 R2 however, Microsoft will only release Windows Server in a 64bit form. When you want to transition your 32bit Domain Controllers to Windows Server 208 R2, you need to first introduce a 64bit Domain Controller (Windows Server 2003 x64 or Windows Server 2008), seize the appropriate Flexible Single Master Operations (FSMO) Roles and prepare for Windows Server 2008 R2 Domain Controllers on this server. This whole process is explained by Tomasz, here.
Related Posts on DirTeam
32-bit to 64-bit Active Directory performance comparison has arrived
Introducing Windows 2003 R2 64-bit DC into 32-bit domain
Active Directory Performance for 64-bit Versions of Windows Server 2003
WoW64 Is Now an Optional Feature for Server Core
32-bit support optional for Server 2008 R2 Server Core
Active Directory Sizer
Operating Systems and PAE Support
A description of the driver support in x64-based versions of Windows Server 2003
AMD Virtualization Technology and Microsoft Hyper-V System Compatibility Check Utility
Intel Processor Identification Utility
Hyper-V: Will My Computer Run Hyper-V? Detecting Intel VT and AMD-V
x64 Domain Controllers
Using x64 for DCs? Let’s hear your experiences.
Reasons to move to 64 bit Domain Controllers
64bit Domain Controllers
Is Windows Server 2008 x64 as a domain controller a good idea in my environment?
Can you have a mix of 32 and 64 bit domain controllers?
Memory usage by the Lsass.exe process on domain controllers