I recently had a request from a customer who is planning on changing his MSMQ servers from workgroup mode to AD Integrated mode. They were looking for information and guidance on what kind of stress this would place on their AD Infrastructure. They have 20 queues, processing a total of 100,000 messages/day, with a 1MB average message size. I thought I would share my thoughts on this migration.

The first point to cover is what MSMQ uses Active Directory for and how it doesn't have to relate to delivering messages.

The usual analogy I use is to compare MSMQ to the telephone system. Imagine a table on which is a traditional telephone with a local directory listing next to it. To make a call, you can just dial the number (if you know it) or you can look it up in the book (if you don't). Additionally, you can use the directory listing to determine the location of the person you are calling - maybe it's a shop or someone that shares a common name. The actual connection to the person you are calling is made using the same method, independent of whether you looked the number up or not.

With MSMQ it is the same. You can either send a message directly to a destination queue or you can contact Directory Services for assistance or additional information. Once the destination has been determined, a point-to-point connection is made and the message delivered (unless you are using Routing Servers, of course).

To relate this to the original question, you can ignore message size and throughput as they do not have a corresponding Active Directory object. Even queues can be ignored to some extent as, although each may be represented by an object in Directory Services, they physically exist on the destination server itself and not a domain controller.

To determine the load on the Active Directory infrastructure, you need to instead look at the MSMQ-using applications you are running. For examples, do they make use of:

  • Addressing messages with Pathnames
  • Querying of queue properties
  • Querying of queue permissions
  • Message authentication
  • Message encryption

It is these sorts of operation that require access to Active Directory and which will generate load on the infrastructure. How much load there will be is difficult to say as it depends on how efficiently the applications have been coded. Test benchmarking will be the order of the day.

Note that an application initially designed to work on MSMQ in workgroup mode is unlikely to generate any extra load when ported to an AD-integrated environment as the code will not be making any calls to Directory Services.

To conclude, avoid contacting Directory Services unless you need the extra functionality provided as the calls are expensive.

  • If you know the machine and queue names, send the message DIRECT.
  • Use Negative Source Journaling and Dead Letter Queues instead of querying the queue's properties and permissions.
  • If you must use AD-Integration mode, remember MSMQ follows site (not domain) boundaries so ensure there are at least 2 domain controllers in every logical site where MSMQ clients exist.