I've read in various Identity collector documents that the following is true:
- Identity Collector can process up to 1900 AD events per second. (sk108235)
- Identity Collector is based on security events which are logged on the Domain Controller servers (events 4624, 4768, 4769 and 4770). (sk86441)
Based on that,
1. Is 1900 AD events per second the maximum number of eps for all event IDs? Or only 1900 eps for event IDs of type 4624, 4768, 4769 and 4770 (aka other event IDs are filtered out and don't apply to the 1900 eps limit)?
2. If we were concerned that we may be close to the 1900 eps limit, can we spin up multiple IDC servers and split the domain controllers across them? For example, IDC server A handles only DC1 and DC2, while IDC server B handles only DC3 and DC4? Then for redundancy, you'd want to have a total of 4 (2 that handle DC1 and DC2, and 2 that handle DC3 and DC4). Would this make sense? Or would this cause other issues not anticipated?
What designs have you seen for customers with very large AD deployments?
Thanks for your thoughts!