Seen it in production with a customer around 8500 nodes, probably roughly the same number of policies per user (~600 total application policies). It's humming along now, here were some of things encountered initially:
1) Database backend needs to be tuned (i.e., proper tables reindexed) and have the horsepower to support the more frequent lookups
2) IIS should be setup with app pools for the policy web service (setup by default in 8.8 under LDAPPMain) but this customer started on 8.7.
3) Evalute how often policies are being checked on clients. This customer was checking multiple times an hour prior to enabling LDAPGroupEnumeration and that proved overwhelming even after tuning. Once this was trimmed back to more reasonable levels, it worked quite well.
Hope this helps.
Thanks for the insight, that's exactly what I was looking for.
I would like to have a little bit more information regarding this setting, "LDAPGroupEnumeration".
I have a customer that deploy software only via AD group on LDMS 8.8 SP3. Around 600 policies for 9000 clients and only at logon...
today, it's works but sometimes it's not really reliable. Making 2 devices in the same time, with same options, the software are not installled in the same way. One is running fast end them the second you need to wait a lot to have something...
The most famous reg key, DisableLdapGroupEnumeration are not enable on the client, should I enable this? Is it mandatory, helpfull or not? What impact?
Many thanks for your experience.