Overview#

LDAP policies are implemented in Microsoft Active Directory by using objects of the queryPolicy class. Query Policy objects can be created in the Query Policies container, which is a child of the Directory Service container in the configuration naming context. For example: cn=Query-Policies, cn=Directory Service, cn=Windows NT, cn=Services configuration naming context.

Active Directory LDAP Defaults[1] #

Hardcoded LDAP limitations have been introduced in Windows Server 2008 R2 and Windows Server 2008 to prevent overloading the domain controller. These limits override the LDAP policy in Active Directory setting when the policy value should be higher.

LDAP settingmaximum value (hardcoded)
MaxReceiveBuffer20971520
MaxPageSize20000
MaxQueryDuration1200
MaxTempTableSize100000
MaxValRange5000

Therefore the effective setting for the above LDAP policy is MaxPageSize=50000 and MaxValRange=25000 on a Windows Server 2003 Domain Controller as configured in the LDAP policy in Active Directory but on a Windows Server 2008 R2 or Windows Server 2008 Domain Controller the hardcoded limits dictate MaxPageSize=20000 and MaxValRange=5000.

MaxValRange affects the number of attributes returned for a query. If you perform a LDAP query for the multi-valued attribute Member for a group object with more than 5000 members the Windows Server 2008 R2 or Windows Server 2008 domain controller will only return 5000 of them.

The use of the Simple Paged Results Control maybe used to retrieve all the results.

Reboot requirement#

If you change the values for the query policy that a Domain Controller is currently using, those changes take effect without a reboot. However, if a new query policy is created, a reboot is required for the new query policy to take effect.

Windows Server 2000 and Windows Server 2003 LDAP administration limits#

The LDAP administration limits are:

How To Change Values#

The values can be modified using Ntdsutil.exe or using a LDIF file.

LDIF for LDAP policy in Microsoft Active Directory#

This is an export of the policy for a server. The "DC=mad,DC=willeke,DC=com" is domain dependent.
Line wrapping was eliminated so it was easier to read.
Please be careful as the export shows various attributes that should probably NOT be modified and "OperationalAttribute" and values which MAY not be modified. In other words, be careful and know what you are doing or do not do it.
dn: CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=mad,DC=willeke,DC=com
objectClass: top
objectClass: queryPolicy
cn: Default Query Policy
distinguishedName: CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=mad,DC=willeke,DC=com
instanceType: 4
lDAPAdminLimits: MaxValRange=1500
lDAPAdminLimits: MaxReceiveBuffer=10485760
lDAPAdminLimits: MaxDatagramRecv=4096
lDAPAdminLimits: MaxPoolThreads=4
lDAPAdminLimits: MaxResultSetSize=262144
lDAPAdminLimits: MaxTempTableSize=10000
lDAPAdminLimits: MaxQueryDuration=120
lDAPAdminLimits: MaxPageSize=1000
lDAPAdminLimits: MaxNotificationPerConn=5
lDAPAdminLimits: MaxActiveQueries=20
lDAPAdminLimits: MaxConnIdleTime=900
lDAPAdminLimits: InitRecvTimeout=120
lDAPAdminLimits: MaxConnections=5000
name: Default Query Policy
objectCategory: CN=Query-Policy,CN=Schema,CN=Configuration,DC=mad,DC=willeke,DC=com
objectGUID:: 77+9V2dTeO+/vQtO77+9Wwpx77+977+9fO+/vQ==
showInAdvancedViewOnly: TRUE
uSNChanged: 4124
uSNCreated: 4124
whenChanged: 20081213153904.0Z
whenCreated: 20081213153904.0Z

How to view and set LDAP policy in Active Directory by using Ntdsutil.exe#

This step-by-step article describes how to manage Lightweight Directory Access Protocol (LDAP) policies by using the Ntdsutil.exe tool.

To make sure that domain controllers can support service-level guarantees, you must specify operational limits for a number of LDAP operations. These limits prevent specific operations from adversely affecting the performance of the server, and also make the server more resilient to some types of attacks.

LDAP policies are implemented by using objects of the queryPolicy class. Query Policy objects can be created in the Query Policies container, which is a child of the Directory Service container in the configuration naming context. For example: cn=Query-Policies, cn=Directory Service, cn=Windows NT, cn=Services configuration naming context.

LDAP Query Result Size, MaxPageSize, is one common setting that people have problems.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-32) was last changed on 25-May-2017 11:38 by jim