This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Microsoft Active Directory Group Synchronization
Microsoft Active Directory Group Synchronization

Version management

Difference between version and

At line 1 added 20 lines
!!! Overview
Active Directory groups that contain more than 5000 members cannot be published/synchronized to [eDirectory]. They are truncated to 5000 members during the [DirXML] [Publisher Channel] polling cycle.
The limit is controlled by the [MaxValRange] limits.
Migrating the group into the [Identity Vault namespace] will temporarily sync up the member lists but any subsequent modification of the group in Active Directory will cause the group to again be truncated to 5000 members in the Identity Vault.
This issue occurs due to a limitation in Microsoft's [DirSync] [API]. [Microsoft Active Directory] limits the number of values returned in response to [DirSync] [LDAP] queries to 5000 values. This is an [Microsoft Active Directory] hard limit and is not dependent on the [MaxValRange] parameter of the [Domain Controller]'s [LDAP policy in Active Directory] (see [Ntdsutil.exe])
The Active Directory [DirXML Driver] uses [Microsoft Active Directory] [Directory Synchronization Control] to poll [Microsoft Active Directory] for changes. When any change is detected on the group all changed attribute values - up to 5000 values - are returned.
For Active Directory whose [AD Forest] and domain are operating at or after "[Windows Server 2003]" [Domain functional levels], implementation of the DIRSYNC_LDAP_INCREMENTAL_VALUES flag to the Microsoft Active Directory [Directory Synchronization Control] resolves this issue. This control was implemented on [DirXML] 3.5 AD Driver Patch 1 - 20070601, now replaced by the IDM 3.5.1 or later downloads.
%%information
Bug 533958 showed up in 2008 domain/forest functional level where the DIRSYNC_LDAP_INCREMENTAL_VALUES Flag was ignored. \\This was fixed in Active Directory driver version 3.5.6 Patch 1 and later.
%%
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop