Overview#Active Directory groups that contain more than 5000 members cannot be published/synchronized to eDirectory. They are truncated to 5000 members during the Publisher polling cycle.
The limit is controlled by the MaxValRange limits.
Migrating the group into the Identity Vault will temporarily sync up the member lists but any subsequent modification of the group in Active Directory will cause the group to again be truncated to 5000 members in the Identity Vault.
This issue occurs due to a limitation in Microsoft's DirSync API. Active Directory limits the number of values returned in response to DirSync LDAP queries to 5000 values. This is an Active Directory hard limit and is not dependent on the MaxValRange parameter of the Domain Controller's LDAP Policy (see Ntdsutil.exe)
The Active Directory driver uses Microsoft Active Directory Directory Synchronization Control to poll Active Directory for changes. When any change is detected on the group all changed attribute values - up to 5000 values - are returned.
For Active Directory whose Forest and domain are operating at or after "Windows Server 2003" domain functional levels, implementation of the DIRSYNC_LDAP_INCREMENTAL_VALUES flag to the Microsoft Active Directory Directory Synchronization Control resolves this issue. This control was implemented on IDM 3.5 AD Driver Patch 1 - 20070601, now replaced by the IDM 3.5.1 or later downloads.
This was fixed in Active Directory driver version 3.5.6 Patch 1 and later.