Microsoft Active Directory Group Synchronization


Active Directory groups that contain more than 5000 members cannot be published/synchronized to eDirectory. They are truncated to 5000 members during the DirXML Publisher Channel polling cycle.

The limit is controlled by the MaxValRange limits.

Migrating the group into the Identity Vault namespace will temporarily sync up the member lists but any subsequent modification of the group in Active Directory will cause the group to again be truncated to 5000 members in the Identity Vault.

This issue occurs due to a limitation in Microsoft's DirSync API. Microsoft Active Directory limits the number of values returned in response to DirSync LDAP queries to 5000 values. This is an Microsoft Active Directory hard limit and is not dependent on the MaxValRange parameter of the Domain Controller's LDAP policy in Active Directory (see Ntdsutil.exe)

The Active Directory DirXML Driver uses Microsoft Active Directory Directory Synchronization Control to poll Microsoft Active Directory for changes. When any change is detected on the group all changed attribute values - up to 5000 values - are returned.

For Active Directory whose AD Forest and domain are operating at or after "Windows Server 2003" Domain functional levels, implementation of the DIRSYNC_LDAP_INCREMENTAL_VALUES flag to the Microsoft Active Directory Directory Synchronization Control resolves this issue. This control was implemented on DirXML 3.5 AD Driver Patch 1 - 20070601, now replaced by the IDM 3.5.1 or later downloads.

Bug 533958 showed up in 2008 domain/forest functional level where the DIRSYNC_LDAP_INCREMENTAL_VALUES Flag was ignored.
This was fixed in Active Directory driver version 3.5.6 Patch 1 and later.

More Information#

There might be more information for this subject on one of the following: