Revision #30

You are currently reviewing an older revision of this page.
Go to current version

An LDAP application may return less information when a query is sent to a Windows Server 2008 or Windows Server 2008 R2 domain controller than when sent to a Windows Server 2003 domain controller. The query results may appear truncated or incomplete. In some occasions you may not get any results.

If, for example, a LDAP application queries the members of a group, the Windows Server 2008 R2 or Windows Server 2008 domain controller only returns 5000 members, while the Windows Server 2003 domain controllers returns many more members.

In both cases you may realize the same extended LDAP policy setting in NTDSUTIL required for the LDAP application.

How to check LDAP Policies from  LDP.EXE



How to check LDAP Policies from NTDSUTIL 



How to check LDAP Policies from ADSIEDIT.MSC

Windows 2000 and Windows Server 2003 LDAP administration limits

The LDAP administration limits are:

InitRecvTimeout
This value defines the maximum time in seconds that a domain controller waits for the client to send the first request after the domain controller receives a new connection. If the client does not send the first request in this amount of time, the server disconnects the client. default value: 120 seconds
MaxActiveQueries
The maximum number of concurrent LDAP search operations that are permitted to run at the same time on a domain controller. When this limit is reached, the LDAP server returns a "busy" error.

Default value: 20 

Note This control has an incorrect interaction with the MaxPoolThreads value. MaxPoolThreads is a per-processor control, while MaxActiveQueries defines an absolute number. Starting with Windows Server 2003, MaxActiveQueries is no longer enforced. Additionally, MaxActiveQueries does not appear in the Windows Server 2003 version of NTDSUTIL. 

MaxConnections
The maximum number of simultaneous LDAP connections that a domain controller will accept. If a connection comes in after the domain controller reaches this limit, the domain controller drops another connection.
Default value: 5000

MaxConnIdleTime
The maximum time in seconds that the client can be idle before the LDAP server closes the connection. If a connection is idle for more than this time, the LDAP server returns an LDAP disconnect notification.
Default value: 900 seconds

MaxDatagramRecv
The maximum size of a datagram request that a domain controller will process. Requests that are larger than the value for MaxDatagramRecv are ignored. 

Default value:
Windows 2000 - 1,024 bytes
Windows Server 2003 - 4,096 bytes 

MaxNotificationPerConnection
The Maximum number of outstanding notification requests that are permitted on a single connection. When this limit is reached the server returns a "busy" error to any new notification searches that are performed on that connection.
Default value: 5

Maxpagesize
This value controls the maximum number of objects that are returned in a single search result, independent of how large each returned object is. To perform a search where the result might exceed this number of objects, the client must specify the paged search control. This is to group the returned results in groups that are no larger than the MaxPageSize value. To summarize, MaxPageSize controls the number of objects that are returned in a single search result.
Default value: 1,000

MaxPoolThre
ads
The maximum number of threads per-processor that a domain controller dedicates to listening for network input or output (I/O). This value also determines the maximum number of threads per-processor that can work on LDAP requests at the same time.
Default value: 4 threads per-processor

MaxResultSetSize
Between the individual searches that make up a paged result search, the domain controller may store intermediate data for the client. The domain controller stores this data to speed up the next part of the paged result search. The MaxResultSize value controls the total amount of data that the domain controller stores for this kind of search. When this limit is reached, the domain controller discards the oldest of these intermediate results to make room to store new intermediate results.
Default value: 262,144 bytes 

MaxQueryDuration
The maximum time in seconds that a domain controller will spend on a single search. When this limit is reached, the domain controller returns a " timeLimitExceeded" error. Searches that require more time must specify the paged results control.
Default value: 120 seconds 

MaxTempTableSize
While a query is processed, the dblayer may try to create a temporary database table to sort and select intermediate results from. The MaxTempTableSize limit controls how large this temporary database table can be. If the temporary database table would contain more objects than the value for MaxTempTableSize, the dblayer performs a much less efficient parsing of the complete DS database and of all the objects in the DS database.
Default value: 10,000 records

MaxValRange
The MaxValRange value controls the number of values that are returned for an attribute of an object, independent of:

  • how many attributes that object has
  • of how many objects were in the search result.

The LDAP administration limits (with defaults in parentheses) are the following:

InitRecvTimeout Initial receive time-out (120 seconds).
MaxConnections Maximum number of open connections (5000).
MaxConnIdleTime Maximum amount of time a connection can be idle (900 seconds).
MaxActiveQueries Maximum number of queries that can be active at one time (20).
MaxNotificationPerConnection Maximum number of notifications that a client can request for a given connection (5).
MaxPageSize Maximum page size supported for LDAP responses (1000 records).
MaxQueryDuration Maximum length of time the domain controller can execute a query (120 seconds).
MaxTempTableSize Maximum size of temporary storage allocated to execute queries (10,000 records).
MaxResultSetSize Maximum size of the LDAP Result Set (262144 bytes).
MaxPoolThreads Maximum number of threads created by the domain controller for query execution (4 per processor).
MaxDatagramRecv Maximum number of datagrams that can be processed by the domain controller simultaneously (1024).


Community Resources

Override the hardcoded LDAP Query limits introduced in Windows Server 2008 and Windows Server 2008 R2
http://blogs.technet.com/b/qzaidi/archive/2010/09/02/override-the-hardcoded-ldap-query-limits-introduced-in-windows-server-2008-and-windows-server-2008-r2.aspx

LDAP policies
http://technet.microsoft.com/en-us/library/cc770976(v=WS.10).aspx

LDAP Policies
http://msdn.microsoft.com/en-us/library/cc223376(v=prot.20).aspx

How to view and set LDAP policy in Active Directory by using Ntdsutil.exe
http://support.microsoft.com/kb/315071

Global Catalog and LDAP Searches
http://technet.microsoft.com/en-us/library/cc978012.aspx

How Active Directory Searches Work
http://technet.microsoft.com/en-us/library/cc755809%28v=ws.10%29.aspx

Windows Server 2008 R2 or Windows Server 2008 domain controller returns only 5000 attributes in a LDAP response
http://support.microsoft.com/kb/2009267

 

 

Revert to this revision