I often receive questions about NSPI connections and how many connections I should allow. The reason for this is a change that was made to Windows 2008. Windows 2008 limits the number of NSPI Connections to 50 http://support.microsoft.com/kb/949469. Where as Windows 2003 was set to unlimited.
The NSPI protocol stands for Name Service Provider Interface and it is well documented here http://msdn.microsoft.com/en-us/library/dd942317(v=prot.10) But the idea behind it is to allow applications to look up and interact with addressing data stored by a server.
Often times this is a domain controller that the applications may interact with. However in Exchange 2010, NSPI is handled a little different. Exchange 2010 Acts as a proxy for NSPI connections back to a Domain Controller.
In many cases the number of NSPI connections is controlled by a throttling policy on the Exchange 2010 CAS server. However not all applications have been written to work with the Proxy.
So there are 2 different scenarios that you may run into with NSPI connections. Those that connect to the Exchange CAS server. Or those that connect directly to the Domain Controller. in either case the formula’s or methods I am going to show you will work to determine how many connections I want to allow.
many times I am told the application vendor wants you to set the Value to Null. This creates some risk and may allow an internal Denial of Service to happen. So I never recommend setting the value to null not even for 1 account. however I often see people do this. Most vendors already have a formula they use to determine what need to be allowed.
Generally you can find the formula for each application by searching their website. I will list the 4 formulas I know about and use most of the time however you may want to review the Vendors website and support requirements to make sure nothing has changed since I wrote this.
The most important thing to remember is that this is based on an individual account so if you do a good job of service account isolation. Meaning that you do not use the BES account for the service account for your Good Services then you really only need to find the service with the highest value and set it. Then the other accounts will be able to take advantage of the increased NSPI value.
The only caveat to this is if the NSPI end point is the Exchange server then you have to add all the accounts to the same Policy. However once you have done that then you should be good. I have included links at the bottom on using throttling policies but it is well documented so I did not add how to create the policy. Many of the links below have how to create a specific policy for their product. Either creating a policy for each account or adding all accounts to one policy is up to you.
I personally like isolation of policy’s and accounts but some may want to just add the accounts to single “services Policy” which will work.
GOOD uses a very simple formula
1 to 1.5 connections per user that is on the GOOD platform
http://www1.good.com/faq/solution-18325.html
Black Berry enterprise Server or BES
BES now goes with a 1 to 1 ration rounding up to the nearest 1000 so if you have 1001 users you would set the NSPI connection value to 2000
http://btsc.webapps.blackberry.com/btsc/viewContent.do?externalId=KB17325&sliceId=1
Symantec Enterprise Vault
Number of Mailbox Archiving tasks * Number of connection threads (per task) * 4 = A
Number of Journal Archiving tasks * Number of connection threads (per task) * 4 = B
Number of Public Folder Archiving tasks * Number of connection threads (per task) * 4 = C
Task Controller Service = 20
Storage Service = 32
Shopping Service = 20
PST Migrations = 20
Total = 2 * (A+B+C+20+32+20+20)
http://www.symantec.com/business/support/index?page=content&id=TECH73507
Avaya Modular Messaging
The calculation described in the section is specific to Modular Messaging Release 5.2.
Previous releases of Modular Messaging have additional requirements.
• One NSPI connection per Subscriber logon via the TUI. Therefore the number will not
exceed the number of telephony ports across all MAS servers. This will also include NSPI
sessions for Call-Answer Greeting Retrieval since an individual port can be used only for
either Subscriber logon or Call-Answer at any one time.
• One additional NSPI connection may be required when access the Subscribers profile
data. Since this could theoretically occur during any use of the TUI, the maximum number
equals the number of ports in the VMD.
• One NSPI connection for the VMD Synchronization per MAS.
• One NSPI connection for Call-Answer Message Delivery per MAS.
• One NSPI connection per Exchange server for Active Monitoring by each MAS Service.
• One NSPI connection per Monitored Exchange server for Mailbox Monitor.
• Each MAS can handle requests for Subscriber profile data from external sources such as
Subscriber Options. The MAS can pool up to 12 NSPI connections for this.
• Additional NSPI connections for unspecified mailbox access per MAS
NSPI = ({MM Services} x {Exchange servers}) + (2 x {VMD Ports}) + (25 x {MAS Services})
http://downloads.avaya.com/css/P8/documents/100069506
Check Appendix C and look for Calculating the number of NSPI Connections Required by Modular Messaging.
Additional Links
Understanding Client Throttling Policies
http://technet.microsoft.com/en-us/library/dd297964.aspx
Set-Throttling Policy
http://technet.microsoft.com/en-us/library/dd298094.aspx
Exchange throtting policies more in depth
Mitch's Blog 