(This post was published on the original RMS team blog in May 2010)
Before you implement AD RMS you may want to test it in a test environment that mirrors your production environment. This post will help you in this process.
First, you must decide how you will use AD RMS in your organization so that you will know what to test. How many AD RMS users do you have in your organization? Do they reside in the same domain and forest? Will you be implementing any trust relationships with other Active Directory forests? Will you have any licensing-only clusters? What client and server applications will end-users use to protect and consume content? For example, if you plan to use AD RMS with Microsoft Office SharePoint Services (MOSS), you should include it in your testing. The closer your test environment mirrors your production environment, the more relevant your test data will be.
Your server specifications and roles in your test environment should also mirror your production environment. We recommend that you use the specifications described in the TechNet documents AD RMS Prerequisites and AD RMS SQL Server Requirements . Ideally you are using dedicated servers for your AD RMS server, domain controller, and Microsoft SQL Server. Either way, ensure that the two environments are as identical as possible. However, you can safely test AD RMS using virtual machines; the performance between AD RMS on a virtual machine and on a physical server is not significant.
In preparation for testing, knowing the steps behind the most common AD RMS transactions can be helpful. When an end user creates or consumes protected content for the very first time she must be bootstrapped. During this process the client generates a Machine Account Certificate (MAC) and obtains a Rights Account Certificate (RAC) from the AD RMS cluster. The first time a user publishes protected content a Client Licensor Certificate (CLC) is obtained from the AD RMS cluster.
After a user is bootstrapped she can publish content on a client computer using her existing MAC, RAC, and CLC. For a user to consume content, after the bootstrapping process is complete, she can use her existing MAC and RAC, but must get an End Use License (EUL) from the AD RMS cluster.
To summarize, Machine Activation and the publishing of AD RMS protected content happens on a client computer, and therefore cannot be directly tracked by the AD RMS cluster. Certification, client enrollment, and EUL occur on the AD RMS cluster and can be directly measured by AD RMS Performance Counters.
There are no out-of-the-box tools available to test AD RMS, but you can load test the pipelines (asmx files) like any other ASP.net application. When stress testing the AD RMS server, make sure it is not being used for anything other than AD RMS and ensure that it is tested to 100% load. Then use the AD RMS Performance Counters in the Performance Monitor to gather your test results. AD RMS Performance Counters offer valuable statistics that you can use to validate the performance of your AD RMS installation. The following table identifies a few of the most useful counters when testing your environment
AD RMS Operation |
Performance Counter |
Description |
Certification - AD RMS Server |
AD RMS CertificationCertification Failed Requests
|
Returns the total number of failed Certification Requests |
AD RMS CertificationCertification Successful Requests
|
Returns the total number of successful Certification Requests |
|
AD RMS CertificationCertification Successful Request Rate
|
Returns the total rate (requests per second ) of successful Certification Requests |
|
Precertification - AD RMS Server |
AD RMS CertificationPreCertification Failed Requests |
Returns the total number of failed pre-certification requests |
AD RMS CertificationPreCertification Successful Requests |
Returns the total number of successful pre-certification requests |
|
AD RMS CertificationPreCertification Successful Request Rate |
Returns the total rate (requests per second) of successful pre-certification requests |
|
Client Enrollment - AD RMS Server |
AD RMS LicensingClient Licensor Certificate Failed Requests
|
Returns the total number of failed Client Enrollment Requests |
AD RMS LicensingClient Licensor Certificate Successful Requests |
Returns the total number of successful Client Enrollment Requests |
|
AD RMS LicensingClient Licensor Certificate Successful Requests Rate |
Returns the total rate (request per second) of successful Client Enrollment Requests |
|
Publishing - AD RMS Server |
AD RMS LicensingPublishing Failed Requests |
Returns the total number of failed publishing requests |
AD RMS LicensingPublishing Successful Requests |
Returns the total number of successful publishing requests |
|
AD RMS LicensingPublishing Successful Requests Rate |
Returns the total rate (requests per second) of publishing requests |
|
License - AD RMS Server |
AD RMS LicensingLicensing Failed Single Requests |
Returns the total number of failed Licensing Requests |
AD RMS LicensingLicensing Successful Single Requests |
Returns the total number of successful Licensing Requests |
|
AD RMS LicensingLicensing Successful Single Requests Rate |
Returns the total rate (request per second ) of successful Licensing Requests |
|
AD RMS LicensingLicensing Successful Batched Requests |
Returns the total number of successful batched requests (Server applications like MOSS and Exchange use batch licensing) |
|
AD RMS LicensingPreLicensing Successful Requests |
Returns the total number of successful Prelicensing requests (used in Exchange Prelicensing) |
|
Batch Licensing - AD RMS Server |
AD RMS LicensingLicensing Failed Batch Requests |
Returns the total number of failed batch licensing requests |
AD RMS LicensingLicensing Successful Batch Requests |
Returns the total number of successful batch licensing requests |
|
AD RMS LicensingLicensing Successful Batch Requests Rate |
Returns the total rate (requests per second) of successful batch licensing requests |
|
Prelicense - AD RMS Server |
AD RMS LicensingPreLicensing Failed Requests |
Returns the total number of failed prelicensing requests |
AD RMS LicensingPreLicensing Successful Requests |
Returns the total number of successful Prelicensing requests |
|
AD RMS LicensingPreLicensing Successful Requests Rate |
Returns the total rate (requests per second) of successful Prelicensing requests |
|
System |
ASP.NET Apps v2.0.50727(__Total__)Requests/Sec
|
Assuming Total Transaction on the AD RMS Server = Transaction on the IIS
|
Processor(_Total)% Processor Time
|
Processor usage (since Crypto operations are costly) |
|
MemoryAvailable MBytes
|
Available Free Memory |
Please note that the majority of the requests from end users will be license requests. Also, remember that the AD RMS logging database will grow at a substantially faster rate than the other databases. Testing the database server, and the logging database in particular, should be a key component of your testing strategy.
We recommend testing a worst case scenario as part of your testing strategy. An example of this might be a company-wide protected e-mail message with a few attachments and several replies. In such a scenario, you could reasonably expect a total of ten use licenses per user over the course of an hour. Continuing the example, if your organization has 10,000 AD RMS end-users, then your cluster would have to be able to support a peak load of 100,000 license requests per hour, or 30 requests per second. The particulars of your AD RMS usage will dictate what a worst case scenario will look like for your organization. The TechNet article Scaling the Infrastructure Components offers some average performance rates of AD RMS servers with certain specifications. You can use these numbers as a baseline in your own testing.
Finally, we recommend testing AD RMS with rights policy templates and Active Directory groups. Individually adding rights and users increases the size of the publishing license and, in turn, increases the load on the AD RMS server. In a multi-domain environment, make sure you allot enough time for the Active Directory groups to replicate across the entire forest.