The more you use Active Directory (AD), the more likely you find yourself the unhappy victim of one or more of the limits imposed either by AD itself or by an interface you use to administer it. The AD limits exist primarily to optimize AD's performance—they relate only marginally to the number of objects you can have. For example, the maximum number of user accounts possible in a Windows NT domain was 40,000. The number of user accounts possible in an AD domain is huge. I don't know the absolute maximum, but Korea.com (an Internet portal providing a range of Web services to Korean citizens) has an 8-million-user-account AD implementation. Here are some common AD limits and tips for adjusting or working around them should they become problematic.
MMC Folder Display Limit
When you use the Windows 2000 Microsoft Management Console (MMC) Active Directory Users and Computers snap-in to display the contents of an organizational unit (OU) or container that contains more than 2000 objects, you see an error message stating that AD can't display all the objects and giving advice for changing the default option. If you have Windows Server 2003, you see a slightly more helpful message stating the limit and the number of objects AD is trying to display.
To change the default display limit, click View, Filter Options and change the Maximum number of items displayed per folder value. Be aware that this limit exists for a good reason: Displaying the contents of an OU that contains 30,000 objects can take a long time.
Search Buffer Size
After overcoming the default 2000-object display limit, you might be frustrated yet again if you try to display the contents of an OU that contains more than 10,000 objects. The source of the frustration is the default AD search buffer size, which certain UI tools (including the Active Directory Users and Computers snap-in) use. The buffer stores query results and by default is limited to 10,000 objects to improve performance.
The Microsoft article "Controlling the Active Directory Search Buffer Size" (http://support.microsoft.com/?kbid=243281) describes two ways to change this default. The first option involves changing a registry value. Add a new DWORD value named QueryLimit to the HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Directory UI registry subkey. Set the value for QueryLimit to the limit you think you need. You might need to add the \Windows and \Directory UI subkeys if they aren't present.
The second method also applies the registry setting but does so through Group Policy. Open the Group Policy Object (GPO) you want to edit (e.g., Default Domain Policy). In the treeview pane, navigate to User Configuration, Administrative Templates, Desktop, Active Directory. Enable the Maximum size of Active Directory searches policy and set the value you want.
I prefer the second approach because it avoids incorrectly entered registry values. I've also seen problems with the first method when used with the Run As feature and dedicated administrative accounts. The registry value doesn't work with accounts specified by using Run As, probably because the specified account isn't affected by HKEY_CURRENT_USER settings. If you want to use Run As after applying the second (GPO) method, in order to apply the Group Policy setting you must perform a normal Windows logon at least once for any accounts you plan to specify with Run As.
Interestingly, although the setting (using either method) works well for the Active Directory Users and Computers snap-in, it appears to have no effect on the MMC Active Directory Service Interfaces (ADSI) Edit snap-in. I haven't found a way to use ADSI Edit to display more than 10,000 objects.
LDAP Maximum Page Size
You're probably aware that AD supports Lightweight Directory Access Protocol (LDAP) 3.0. AD's LDAP support lets you search the directory from an LDAP-compliant client. To protect against Denial of Service (DoS) attacks and searches that might adversely impact performance, AD imposes a maximum page size of 1000 when returning the results of LDAP queries. In other words, AD returns no more than 1000 records at a time in response to an LDAP query. For example, if you execute an LDAP subtree search for all user objects in your domain, the search will return 1000 records and a Size Limit Exceeded error if your domain has more than 1000 user objects.
You have two options for working around this limit. The first is to change the maximum page size from the client; the second is to modify the MaxPageSize LDAP policy on your domain controllers (DCs) to set a higher limit. As a best practice, you should use the first method and leave the LDAP policy alone. As users and applications make increasing use of AD, inefficient LDAP queries become more likely. The maximum page-size setting protects AD from inefficient queries. The main danger with modifying the policy is that doing so can inhibit DC performance. To learn more about changing LDAP policies, see the Microsoft article "HOW TO: View and Set Lightweight Directory Access Protocol Policies by Using Ntdsutil.exe in Windows 2000" (http://support.microsoft.com/?kbid=315071).
One way to set the maximum page size on an LDAP client is to use the ldp.exe LDAP client from the Windows 2003 or Win2K support tools. To use this method, follow these steps:
- Open ldp.exe.
- Connect and bind to the directory. To do this, click the Connection menu item, then click Connect. Enter the name of the DC you want to connect to in Fully Qualified Domain Name (FQDN) format (e.g., dc1.mydomain.com)—or simply leave the field blank if you want to connect to a nearby DC in the default domain—and click OK. To perform an LDAP bind to the DC, click Bind on the Connection menu, complete the user, password, and domain information by using a domain account that has the appropriate permissions (usually a regular user account will suffice), and click OK. Click Browse, then click Search.
- Click Options and change the settings so that they appear as Figure 1 shows.
Prev. page
[1]
2
next page 
