Overview#
LDAP policies are implemented in Microsoft Active Directory by using objects of the queryPolicy class.QueryPolicy objects can be created in the Query Policies container, which is a child of the Directory Service container in the Configuration Directory Partition naming context.
Active Directory LDAP Defaults[1] #
Hardcoded LDAP limitations have been introduced in Windows Server 2008 R2 and Windows Server 2008 to prevent overloading the domain controller. These limits override the LDAP policy in Active Directory setting when the policy value should be higher.| LDAP setting | maximum value (hardcoded) |
|---|---|
| MaxReceiveBuffer | 20971520 |
| MaxPageSize | 20000 |
| MaxQueryDuration | 1200 |
| MaxTempTableSize | 100000 |
| MaxValRange | 5000 |
Therefore the effective setting for the above LDAP policy is MaxPageSize=50000 and MaxValRange=25000 on a Windows Server 2003 Domain Controller as configured in the LDAP policy in Active Directory but on a Windows Server 2008 R2 or Windows Server 2008 Domain Controller the hardcoded limits dictate MaxPageSize=20000 and MaxValRange=5000.
MaxValRange affects the number of attributes returned for a query. If you perform a SearchRequest for the multi-valued attribute Member for a group object with more than 5000 members the Windows Server 2008 R2 or Windows Server 2008 domain controller will only return 5000 of them.
The use of the Simple Paged Results Control maybe used to retrieve all the results.
Where are LDAP policy in Active Directory values set#
LDAP policies are specified using the lDAPAdminLimits attribute. The lDAPAdminLimits attribute of a queryPolicy object is a multivalued string where each string value encodes a name-value pair. In the encoding, the name and value are separated by an "=". For example, the encoding of the name "MaxActiveQueries" with value "0" is "MaxActiveQueries=0". Each name is the name of an LDAP policy, and the value is a value of that policy.There can be multiple queryPolicy objects in a AD Forest. A DC determines the queryPolicy object that contains its policies according to the following logic:
- If the queryPolicyObject attribute is present on the DC's nTDSDSA object, the DC uses the queryPolicy object referenced by it.
- Otherwise, if the queryPolicyObject attribute is present on the nTDSSiteSettings object for the Active Directory Site to which the DC belongs, the DC uses the queryPolicy object referenced by the Active Directory Site.
- Otherwise, the DC uses the queryPolicy object whose DN is "CN=Default Query Policy,CN=Query-Policies" relative to the nTDSService object (for example, "CN=Default Query Policy, CN=Query-Policies, CN=Directory Service, CN=Windows NT, CN=Services" relative to the root of the config NC).
Reboot requirement#
If you change the values for the QueryPolicy that a Domain Controller is currently using, those changes take effect without a reboot. However, if a new QueryPolicy is created, a reboot is required for the new QueryPolicy to take effect.LDAP administration limits#
- InitRecvTimeout
- MaxActiveQueries
- MaxConnections
- MaxConnIdleTime
- MaxDatagramRecv
- MaxNotificationPerConnection
- MaxPageSize
- MaxPoolThreads
- MaxResultSetSize
- MaxQueryDuration
- MaxTempTableSize
- MaxValRange
- MaxResultSetsPerConn - (Default: 10) - The maximum number of individual Simple Paged Results Control SearchRequest per LDAP connection for which a Domain Controller will store optimization data. The data that is stored is outside the state model and is implementation-specific.
- MinResultSets- (Default: 3) - The minimum number of individual paged searches for which a Domain Controller will store optimization data. The data that is stored is outside the state model and is implementation-specific.
- MaxBatchReturnMessages - (Default: 1100) - The maximum number of messages that can be returned when processing an LDAP_SERVER_BATCH_REQUEST_OID extended operation.
- MaxPercentDirSyncRequests - (Default: 100) - The maximum percentage of LDAP threads that can be performing a search using the LDAP_SERVER_DIRSYNC_OID or LDAP_SERVER_DIRSYNC_EX_OID at one time.
- MaxValRangeTransitive - This policy has no significance.
- ThreadMemoryLimit - This policy affects implementation-specific memory allocation and limits.
- SystemMemoryLimitPercent - This policy affects implementation-specific memory allocation and limits.
- MaxDirSyncDuration - (Default: 60) - The maximum time, in seconds, that a DC will spend on a single SearchRequest when using the LDAP_SERVER_DIRSYNC_OID or LDAP_SERVER_DIRSYNC_EX_OID controls. When this limit is reached, the DC returns a LDAP_TIMELIMIT_EXCEEDED / LDAP_PARAM_ERROR error.
How To Change Values#
The values can be modified using Ntdsutil.exe or using a LDIF file.LDIF for LDAP policy in Microsoft Active Directory#
These values are apparently only visible in the Configuration Directory Partition for the Forest Root Domain and only Domain Controller which holds the PDC Emulator FSMO Role (Not documented but Observed)This is an export of the policy for a server. The "DC=mad,DC=example,DC=com" is AD DOMAIN and Windows Server Version dependent.
dn: CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=mad,DC=example,DC=com objectClass: top objectClass: queryPolicy cn: Default Query Policy distinguishedName: CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=mad,DC=example,DC=com instanceType: 4 lDAPAdminLimits: MaxValRange=1500 lDAPAdminLimits: MaxReceiveBuffer=10485760 lDAPAdminLimits: MaxDatagramRecv=4096 lDAPAdminLimits: MaxPoolThreads=4 lDAPAdminLimits: MaxResultSetSize=262144 lDAPAdminLimits: MaxTempTableSize=10000 lDAPAdminLimits: MaxQueryDuration=120 lDAPAdminLimits: MaxPageSize=1000 lDAPAdminLimits: MaxNotificationPerConn=5 lDAPAdminLimits: MaxActiveQueries=20 lDAPAdminLimits: MaxConnIdleTime=900 lDAPAdminLimits: InitRecvTimeout=120 lDAPAdminLimits: MaxConnections=5000 name: Default Query Policy objectCategory: CN=Query-Policy,CN=Schema,CN=Configuration,DC=mad,DC=example,DC=com objectGUID:: 77+9V2dTeO+/vQtO77+9F......9fO+/vQ== showInAdvancedViewOnly: TRUE uSNChanged: 4124 uSNCreated: 4124 whenChanged: 20081213153904.0Z whenCreated: 20081213153904.0Z
How to view and set LDAP policy in Active Directory by using Ntdsutil.exe
#
This step-by-step article describes how to manage Lightweight Directory Access Protocol (LDAP) policies by using the Ntdsutil.exe tool.
To make sure that domain controllers can support service-level guarantees, you must specify operational limits for a number of LDAP operations. These limits prevent specific operations from adversely affecting the performance of the server, and also make the server more resilient to some types of attacks.
LDAP policies are implemented by using objects of the queryPolicy class. Query Policy objects can be created in the Query Policies container, which is a child of the Directory Service container in the configuration naming context. For example: cn=Query-Policies, cn=Directory Service, cn=Windows NT, cn=Services configuration naming context.
LDAP Query Result Size, MaxPageSize, is one common setting that people have problems.
More Information#
There might be more information for this subject on one of the following:- InitRecvTimeout
- LDAP and Active Directory
- LDAPAdminLimits
- LDAP_SERVER_BATCH_REQUEST_OID
- LDAP_SERVER_RANGE_OPTION_OID
- MaxActiveQueries
- MaxBatchReturnMessages
- MaxConnIdleTime
- MaxConnections
- MaxDatagramRecv
- MaxNotificationPerConnection
- MaxPageSize
- MaxPoolThreads
- MaxQueryDuration
- MaxReceiveBuffer
- MaxResultSetSize
- MaxTempTableSize
- MaxValRange
- Microsoft Active Directory
- Microsoft Active Directory Anomalies
- Microsoft Active Directory Group Synchronization
- Ntdsutil.exe
- QueryPolicy
- Simple Paged Results Control
- SupportedLDAPPolicies
- [#1] - Windows Server 2008 and newer domain controller returns only 5000 values in a LDAP response - based on information obtained 2015-05-17
- [#2] - 3.1.1.3.4.6 LDAP Policies - based on information obtained 2020-04-20