Active Directory groups that contain more than 5000 members cannot be published/synchronized to eDirectory. They are truncated to 5000 members during the Publisher polling cycle.

The limit is controlled by the MaxValRange limits.

Migrating the group into the Identity Vault will temporarily sync up the member lists but any subsequent modification of the group in Active Directory will cause the group to again be truncated to 5000 members in the Identity Vault.

This issue occurs due to a limitation in Microsoft's DirSync API. Active Directory limits the number of values returned in response to DirSync LDAP queries to 5000 values. This is an Active Directory hard limit and is not dependent on the MaxValRange parameter of the Domain Controller's LDAP Policy (see Ntdsutil.exe)

The Active Directory driver uses Microsoft Active Directory Directory Synchronization Control to poll Active Directory for changes. When any change is detected on the group all changed attribute values - up to 5000 values - are returned.

For Active Directory whose Forest and domain are operating at or after "Windows Server 2003" domain functional levels, implementation of the DIRSYNC_LDAP_INCREMENTAL_VALUES flag to the Microsoft Active Directory Directory Synchronization Control resolves this issue. This control was implemented on IDM 3.5 AD Driver Patch 1 - 20070601, now replaced by the IDM 3.5.1 or later downloads.

Bug 533958 showed up in 2008 domain/forest functional level where the DIRSYNC_LDAP_INCREMENTAL_VALUES Flag was ignored.
This was fixed in Active Directory driver version 3.5.6 Patch 1 and later.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-2) was last changed on 01-Apr-2015 13:41 by jim