!!! Overview
LDAP policies are implemented in [Microsoft Active Directory] by using objects of the [queryPolicy] class. 


[QueryPolicy] objects can be created in the Query Policies container, which is a child of the Directory Service container in the [Configuration Directory Partition] naming context. 

!! Active Directory LDAP Defaults[1] 
Hardcoded LDAP limitations have been introduced in [Windows Server 2008 R2] and [Windows Server 2008] to prevent overloading the domain controller. These limits override the [{$pagename}] setting when the policy value should be higher.

||LDAP setting||maximum value (hardcoded)
|[MaxReceiveBuffer]|20971520
|[MaxPageSize]|20000
|[MaxQueryDuration]|1200
|[MaxTempTableSize]|100000
|[MaxValRange]|5000

Therefore the effective setting for the above LDAP policy is [MaxPageSize]=50000 and [MaxValRange]=25000 on a [Windows Server 2003] [Domain Controller] as configured in the [{$pagename}] but on a [Windows Server 2008 R2] or [Windows Server 2008] [Domain Controller] the hardcoded limits dictate [MaxPageSize]=20000 and [MaxValRange]=5000.

[MaxValRange] affects the number of attributes returned for a query. If you perform a [SearchRequest] for the multi-valued attribute Member for a group object with more than 5000 members the [Windows Server 2008 R2] or [Windows Server 2008] domain controller will only return 5000 of them.

The use of the [Simple Paged Results Control] maybe used to retrieve all the results.

!! Where are [{$pagename}] values set
[LDAP] [policies|Policy] are specified using the [lDAPAdminLimits] attribute. The [lDAPAdminLimits] attribute of a [queryPolicy] object is a multivalued string where each string value encodes a name-value pair. In the encoding, the name and value are separated by an "=". For example, the encoding of the name "MaxActiveQueries" with value "0" is "MaxActiveQueries=0". Each name is the name of an LDAP [policy], and the value is a value of that policy.

There can be multiple [queryPolicy] objects in a [AD Forest]. A [DC] determines the [queryPolicy] object that contains its policies according to the following logic:
* If the [queryPolicyObject] attribute is present on the[ DC]'s [nTDSDSA] object, the [DC] uses the [queryPolicy] object referenced by it.
* Otherwise, if the [queryPolicyObject] attribute is present on the [nTDSSiteSettings] object for the [Active Directory Site] to which the [DC] belongs, the [DC] uses the [queryPolicy] object referenced by the [Active Directory Site].
* Otherwise, the DC uses the [queryPolicy] object whose [DN] is "CN=Default Query Policy,CN=Query-Policies" relative to the nTDSService object (for example, "CN=Default Query Policy, CN=Query-Policies, CN=Directory Service, CN=Windows NT, CN=Services" relative to the root of the config NC).

!! Reboot requirement
If you change the values for the [QueryPolicy] that a [Domain Controller] is currently using, those changes take effect without a reboot. However, if a new [QueryPolicy] is created, a reboot is required for the new [QueryPolicy] to take effect.

!! [LDAP] administration limits

%%information
There is a big difference from [Windows Server 2000] and [Windows Server 2003] [LDAP] to [Windows Server 2008] and newer [Domain Controllers] for [{$pagename}]
%%
The most common [{$pagename}] limits are:
* [InitRecvTimeout]
* [MaxActiveQueries]
* [MaxConnections]
* [MaxConnIdleTime]
* [MaxDatagramRecv]
* [MaxNotificationPerConnection]
* [MaxPageSize]
* [MaxPoolThreads]
* [MaxResultSetSize]
* [MaxQueryDuration]
* [MaxTempTableSize]
* [MaxValRange]
* [MaxResultSetsPerConn] - (Default: 10) - The maximum number of individual [Simple Paged Results Control] [SearchRequest] per [LDAP] connection for which a [Domain Controller] will store optimization data. The data that is stored is outside the state model and is implementation-specific.
* [MinResultSets]- (Default: 3) - The minimum number of individual [paged searches|Simple Paged Results Control] for which a [Domain Controller] will store optimization data. The data that is stored is outside the state model and is implementation-specific.
* [MaxBatchReturnMessages] - (Default: 1100) - The maximum number of messages that can be returned when processing an [LDAP_SERVER_BATCH_REQUEST_OID] extended operation.
* [MaxPercentDirSyncRequests] - (Default: 100) - The maximum percentage of [LDAP] threads that can be performing a search using the [LDAP_SERVER_DIRSYNC_OID] or [LDAP_SERVER_DIRSYNC_EX_OID] at one time.
* [MaxValRangeTransitive] - This policy has no significance.
* [ThreadMemoryLimit] - This policy affects implementation-specific memory allocation and limits.
* [SystemMemoryLimitPercent] - This [policy] affects implementation-specific memory allocation and limits.
* [MaxDirSyncDuration] - (Default: 60) - The maximum time, in [seconds], that a DC will spend on a single [SearchRequest] when using the [LDAP_SERVER_DIRSYNC_OID] or [LDAP_SERVER_DIRSYNC_EX_OID] controls. When this limit is reached, the DC returns a [LDAP_TIMELIMIT_EXCEEDED] / [LDAP_PARAM_ERROR] [error|LDAP Result Code].

!!! [How To] Change Values
The values can be modified using [Ntdsutil.exe] or using a [LDIF] file.

!! LDIF for LDAP policy in [Microsoft Active Directory]
These values are apparently only visible in the [Configuration Directory Partition] for the [Forest Root Domain] and only [Domain Controller] which holds the [PDC Emulator FSMO Role] (Not documented but Observed)

This is an export of the policy for a server. The "DC=mad,DC=example,DC=com" is [AD DOMAIN] and [Windows Server] [Version] dependent.

%%information
Line wrapping was eliminated so it was easier to read.
%%

%%warning
Please be careful as the export shows various attributes that should probably NOT be modified and "[OperationalAttribute]" and values which [MAY] not be modified. In other words, be careful and know what you are doing or do not do it.
%%

%%prettify 
{{{
dn: CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=mad,DC=example,DC=com
objectClass: top
objectClass: queryPolicy
cn: Default Query Policy
distinguishedName: CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=mad,DC=example,DC=com
instanceType: 4
lDAPAdminLimits: MaxValRange=1500
lDAPAdminLimits: MaxReceiveBuffer=10485760
lDAPAdminLimits: MaxDatagramRecv=4096
lDAPAdminLimits: MaxPoolThreads=4
lDAPAdminLimits: MaxResultSetSize=262144
lDAPAdminLimits: MaxTempTableSize=10000
lDAPAdminLimits: MaxQueryDuration=120
lDAPAdminLimits: MaxPageSize=1000
lDAPAdminLimits: MaxNotificationPerConn=5
lDAPAdminLimits: MaxActiveQueries=20
lDAPAdminLimits: MaxConnIdleTime=900
lDAPAdminLimits: InitRecvTimeout=120
lDAPAdminLimits: MaxConnections=5000
name: Default Query Policy
objectCategory: CN=Query-Policy,CN=Schema,CN=Configuration,DC=mad,DC=example,DC=com
objectGUID:: 77+9V2dTeO+/vQtO77+9F......9fO+/vQ==
showInAdvancedViewOnly: TRUE
uSNChanged: 4124
uSNCreated: 4124
whenChanged: 20081213153904.0Z
whenCreated: 20081213153904.0Z
}}}


!!! [How to view and set LDAP policy in Active Directory by using Ntdsutil.exe|http://support.microsoft.com/kb/315071/]
This step-by-step article describes how to manage Lightweight Directory Access Protocol (LDAP) policies by using the Ntdsutil.exe tool. 

To make sure that domain controllers can support service-level guarantees, you must specify operational limits for a number of LDAP operations. These limits prevent specific operations from adversely affecting the performance of the server, and also make the server more resilient to some types of attacks.

LDAP policies are implemented by using objects of the queryPolicy class. Query Policy objects can be created in the Query Policies container, which is a child of the Directory Service container in the configuration naming context. For example: cn=Query-Policies, cn=Directory Service, cn=Windows NT, cn=Services configuration naming context.

LDAP Query Result Size, [MaxPageSize], is one common setting that people have problems.

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Windows Server 2008 and newer domain controller returns only 5000 values in a LDAP response|http://support.microsoft.com/kb/2009267|target='_blank'] - based on information obtained 2015-05-17
* [#2] - [3.1.1.3.4.6 LDAP Policies|https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/3f0137a1-63df-400c-bf97-e1040f055a99|target='_blank'] - based on information obtained 2020-04-20