Overview#

The presence of this OID in the SupportedExtension attribute indicates that the DC provides support for the batched LDAP extended operation. In a batched LDAP extended operation, the DC accepts an extended operation that contains a sequence of LDAP messages (that is, LDAP operations) encoded and packed into the operation data and then operates on the individual messages sequentially.

When sending this extended operation to the DC, the data field is set to the BER encoding of the following ASN.1 structure.

SEQUENCE of OCTET STRING

Each OCTET STRING contains a BER encoded (ITUX690) LDAPMessage as defined in RFC2251.

The DC MUST support the following values of the protocolOp field of an LDAP message.

The DC MAY support any of the other legal values of the protocolOp field of an LDAP message. No version of Windows Server operating system supports any of these other values.

The DC MUST accept the following SupportedControls as part of the encoded LDAPMessage:

The DC MAY support other controls. No version of Windows Server supports any other controls.

If the DC returns any return code for the batched LDAP extended operation other than success / <unrestricted>, then the DC returns no data for the batched LDAP extended operation.

If the DC returns any data for the batched LDAP extended operation, the data is set to the BER encoding of the following ASN.1 structure.

SEQUENCE of LDAPMessage#

If the DC receives an LDAPMessage containing unsupported protocolOp values or controls, or if the data for the batched LDAP extended operation is not a legal BER encoding as required, the DC must return the error protocolError / <unrestricted>.

If the number of individual messages in the return data exceeds the DC's limit, the overall batched LDAP extended operation returns the error sizeLimitExceeded / <unrestricted>. This limit is controlled by the MaxBatchReturnMessages LDAP policy.

If the amount of time spent processing the batched LDAP extended operation exceeds the DC's limit, the overall batched LDAP extended operation returns the error timeLimitExceeded / ERROR_INVALID_PARAMETER. This limit is implementation-defined. In Windows Server 2012 operating system and Windows Server 2012 R2 operating system, this limit is controlled by the MaxQueryDuration LDAP policy.

If any operation in a batched LDAP extended operation results in an LDAP return code other than success / <unrestricted>, then all subsequent operations in that batched LDAP operation are not performed and all prior operations are "rolled back"; that is, no changes that would have been caused by the operations are committed to the DC's state.

Note that, other than where explicitly stated, the return codes of these individual operations do not affect the return code of the batched LDAP extended operation.

If an individual operation in the batched LDAP extended operation returns busy / <unrestricted>, then the batched LDAP extended operation returns the return code generated by that individual operation.

If no other error conditions are present, the DC returns the error code success / <unrestricted>.

If the DC returns any return code for the batched LDAP extended operation other than success / <unrestricted>, then all operations in that batched LDAP operation are "rolled back"; that is, no changes caused by the operations are committed to the DC's state.

The returned data for the batched LDAP extended operation is the sequence containing the return messages generated by performing the individual operations encoded in the incoming data. Note especially that if an individual operation fails, causing the whole sequence to be interrupted and "rolled back", the return sequence of messages includes all messages generated up to and including the message returning the individual operation's failure code. In this case, the returned data can show successful modifications to DC state, but since the final message in the incoming sequence of operations was not completed with a successful return code, these messages indicate only that the operations that modify the DC state would have succeeded and been committed if they had been the last operation in the sequence of messages; that is, these messages indicate that the operations up to the operation that failed would have succeeded.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-2) was last changed on 02-Jan-2014 15:48 by jim