objectClass attribute in Windows 2008 is now indexed.
Did you know that the objectClass attribute in an Active Directory database is not Indexed in pre Windows 2008 Active Directory. This really isn’t an issue with an efficiently formed LDAP query filter such as (&(objectCategory=person)(objectClass=user)) which takes advantage of indexed attributes, but if you were to use a non indexed attribute such as just (objectClass=user) then your query would have to search through every object with objectClass attribute populated to see if there was a match (How many LDAP queries have you seen use this filter?). So, with a database of 100,000 objects and all you were looking for were the User Account objects (say 10,000) you would be parsing all 100,000 objects for a result set; not the most efficient search.
So why wasn’t objectClass indexed? Well these are the reasons that a little research (and trawling through forums and blogs) has provided.
- With Windows 2000 Server the ESE was not very efficient at building indexes over data with large numbers of repeated values. That is, an index over a widely dispersed value such as GUIDs was just fine, even if it was a multi-valued attribute. An index over an attribute that contained only a few possible values (e.g., gender) was not performant, even if it was a single-valued attribute. The performance was worse in updates even more than in searches, so it wasn't an issue of avoiding searching on the attribute, but of avoiding modifying it. With objectClass indexed, object creation rate was not good. This was fixed in the version of ESE that shipped in Server 2003, but indexing on objectClass was not turned on because it would not be good for performance for installations that were upgrading from Windows 2000. With Server 2008 it is thought that the number of environments coexisting with Windows 2000 would be low enough to allow the index on objectClass to be turned on safely and in fact Exchange Server 2007 also indexes objectClass.
- When Windows 2000 Server beta was released, Active Directory couldn’t properly Index multi-value non-unique attributes and that is specifically why objectClass isn’t indexed by default. This was changed for Windows 2000 RTM, but didn’t get included probably for the reasons above.
Indexing this attribute can be done by viewing the properties of the attribute in the Active Directory Schema Snap-in (after registering schmmgmt.dll and ensuring you are a member of Schema Admins), and then ensuring the check box adjacent to “Index this attribute in Active Directory” is checked. Alternatively you could use JoeWares’ excellent ADFIND and ADMOD with the following command line “adfind -schema -f name=object-class searchFlags -adcsv | admod searchFlags::{{.:set:1}} –exterr”
It is worth being aware that indexing attributes can make queries slower. Consider the query (&(objectClass=user)(samAccountName=[uniquevalue])), which will execute faster if objectClass is not indexed. In both cases the query processor will end up choosing the index over samAccountName to do the enumeration, but in the case where objectClass is indexed it will waste time evaluating how tightly the objectClass index encloses the result set (answer: not very). Doing that evaluation costs time and I/O.
The above information was harvested from the following sources
https://blog.joeware.net/2007/03/24/831/
https://blog.joeware.net/2005/12/08/147/
https://www.activedir.org/ListArchives/tabid/55/forumid/1/tpage/1/view/Topic/postid/31737/Default.aspx
https://www.frickelsoft.net/blog/?p=147