Overview#LDAP policies are implemented in Microsoft Active Directory by using objects of the queryPolicy class. Query Policy objects can be created in the Query Policies container, which is a child of the Directory Service container in the configuration naming context. For example: cn=Query-Policies, cn=Directory Service, cn=Windows NT, cn=Services configuration naming context.
|LDAP setting||maximum value (hardcoded)|
Therefore the effective setting for the above LDAP policy is MaxPageSize=50000 and MaxValRange=25000 on a Windows Server 2003 domain controller as configured in the LDAP policy but on a Windows Server 2008 R2 or Windows Server 2008 domain controller the hardcoded limits dictate MaxPageSize=20000 and MaxValRange=5000.
MaxValRange affects the number of attributes returned for a query. If you perform a LDAP query for the multi-valued attribute Member for a group object with more than 5000 members the Windows Server 2008 R2 or Windows Server 2008 domain controller will only return 5000 of them.
The use of the Simple Paged Results Control maybe used to retrieve all the results.
Reboot requirement#If you change the values for the query policy that a domain controller is currently using, those changes take effect without a reboot. However, if a new query policy is created, a reboot is required for the new query policy to take effect.
Windows 2000 and Windows Server 2003 LDAP administration limits#The LDAP administration limits are:
InitRecvTimeout#This value defines the maximum time in seconds that a domain controller waits for the client to send the first request after the domain controller receives a new connection. If the client does not send the first request in this amount of time, the server disconnects the client. Sefault value: 120 seconds
MaxActiveQueries#The maximum number of concurrent LDAP search operations that are permitted to run at the same time on a domain controller. When this limit is reached, the LDAP server returns a "busy" error.
Default value: 20
Note This control has an incorrect interaction with the MaxPoolThreads value. MaxPoolThreads is a per-processor control, while MaxActiveQueries defines an absolute number. Starting with Windows Server 2003, MaxActiveQueries is no longer enforced. Additionally, MaxActiveQueries does not appear in the Windows Server 2003 version of NTDSUTIL.
MaxConnections#The maximum number of simultaneous LDAP connections that a domain controller will accept. If a connection comes in after the domain controller reaches this limit, the domain controller drops another connection.
Default value: 5000
MaxConnIdleTime#The maximum time in seconds that the client can be idle before the LDAP server closes the connection. If a connection is idle for more than this time, the LDAP server returns an LDAP disconnect notification.
Default value: 900 seconds
MaxDatagramRecv#The maximum size of a datagram request that a domain controller will process. Requests that are larger than the value for MaxDatagramRecv are ignored.
- Windows 2000 - 1,024 bytes
- Windows Server 2003 - 4,096 bytes
MaxNotificationPerConnection#The Maximum number of outstanding notification requests that are permitted on a single connection. When this limit is reached the server returns a "busy" error to any new notification searches that are performed on that connection.
Default value: 5MaxPageSize value controls the maximum number of objects that are returned in a single search result.
MaxPoolThreads#The maximum number of threads per-processor that a domain controller dedicates to listening for network input or output (I/O). This value also determines the maximum number of threads per-processor that can work on LDAP requests at the same time.
Default value: 4 threads per-processor
MaxResultSetSize#Between the individual searches that make up a paged result search, the domain controller may store intermediate data for the client. The domain controller stores this data to speed up the next part of the paged result search. The MaxResultSize value controls the total amount of data that the domain controller stores for this kind of search. When this limit is reached, the domain controller discards the oldest of these intermediate results to make room to store new intermediate results.
Default value: 262,144 bytes
MaxQueryDuration#The maximum time in seconds that a domain controller will spend on a single search. When this limit is reached, the domain controller returns a " timeLimitExceeded" error. Searches that require more time must specify the paged results control.
Default value: 120 seconds
MaxTempTableSize#While a query is processed, the dblayer may try to create a temporary database table to sort and select intermediate results from. The MaxTempTableSize limit controls how large this temporary database table can be. If the temporary database table would contain more objects than the value for MaxTempTableSize, the dblayer performs a much less efficient parsing of the complete DS database and of all the objects in the DS database.
Default value: 10,000 recordsMaxValRange value controls the number of values that are returned for an attribute of an object, independent of:
- how many attributes that object has
- of how many objects were in the search result.
LDIF for LDAP policy in Microsoft Active Directory#This is an export of the policy for a server. The "DC=mad,DC=willeke,DC=com" is domain dependent.
WARNING! Line wrapping was eliminated so it was easier to read.
Please be careful as the export shows various attributes that should probably NOT be modified and "operational" attributes and values which can probably not be modified. In other words, be careful and know what you are doing or do not do it.
dn: CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=mad,DC=willeke,DC=com objectClass: top objectClass: queryPolicy cn: Default Query Policy distinguishedName: CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=mad,DC=willeke,DC=com instanceType: 4 lDAPAdminLimits: MaxValRange=1500 lDAPAdminLimits: MaxReceiveBuffer=10485760 lDAPAdminLimits: MaxDatagramRecv=4096 lDAPAdminLimits: MaxPoolThreads=4 lDAPAdminLimits: MaxResultSetSize=262144 lDAPAdminLimits: MaxTempTableSize=10000 lDAPAdminLimits: MaxQueryDuration=120 lDAPAdminLimits: MaxPageSize=1000 lDAPAdminLimits: MaxNotificationPerConn=5 lDAPAdminLimits: MaxActiveQueries=20 lDAPAdminLimits: MaxConnIdleTime=900 lDAPAdminLimits: InitRecvTimeout=120 lDAPAdminLimits: MaxConnections=5000 name: Default Query Policy objectCategory: CN=Query-Policy,CN=Schema,CN=Configuration,DC=mad,DC=willeke,DC=com objectGUID:: 77+9V2dTeO+/vQtO77+9Wwpx77+977+9fO+/vQ== showInAdvancedViewOnly: TRUE uSNChanged: 4124 uSNCreated: 4124 whenChanged: 20081213153904.0Z whenCreated: 20081213153904.0Z
To make sure that domain controllers can support service-level guarantees, you must specify operational limits for a number of LDAP operations. These limits prevent specific operations from adversely affecting the performance of the server, and also make the server more resilient to some types of attacks.
LDAP policies are implemented by using objects of the queryPolicy class. Query Policy objects can be created in the Query Policies container, which is a child of the Directory Service container in the configuration naming context. For example: cn=Query-Policies, cn=Directory Service, cn=Windows NT, cn=Services configuration naming context.
LDAP Query Result Size, MaxPageSize, is one common setting that people have problems.
More Information#There might be more information for this subject on one of the following:
- LDAP and Active Directory
- Microsoft Active Directory
- Microsoft Active Directory Anomalies
- Simple Paged Results Control