Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
Windows Server 2008 R2 or Windows Server 2008 domain controller returns only 5000 attributes in a LDAP response
Article ID: 2009267 - View products that this article applies to.
An LDAP application may return less information when a query is sent to a Windows Server 2008 or Windows Server 2008 R2 domain controller than when sent to a Windows Server 2003 domain controller. The query results may appear truncated or incomplete. In some occasions you may not get any results.
If, for example, a LDAP application queries the members of a group, the Windows Server 2008 R2 or Windows Server 2008 domain controller only returns 5000 members, while the Windows Server 2003 domain controllers returns many more members.
In both cases you may realize the same extended LDAP policy setting in NTDSUTIL required for the LDAP application. For more information about viewing the LDAP policy settings, click the following article number to view the article in the Microsoft Knowledge Base:
Note: On both domain controllers the setting MaxPageSize is set to 50000 (default 1000) and MaxValRange to 25000 (default 1500).
Hardcoded LDAP limitations have been introduced in Windows Server 2008 R2 and Windows Server 2008 to prevent overloading the domain controller. These limits overwrite the LDAP policy setting when the policy value should be higher.
Therefore the effective setting for the above LDAP policy is MaxPageSize=50000 and MaxValRange=25000 on a Windows Server 2003 domain controller as configured in the LDAP policy but on a Windows Server 2008 R2 or Windows Server 2008 domain controller the hardcoded limits dictate MaxPageSize=20000 and MaxValRange=5000.
MaxValRange affects the number of attributes returned for a query. If you perform a LDAP query for the multi-valued attribute Member for a group object with more than 5000 members the Windows Server 2008 R2 or Windows Server 2008 domain controller will only return 5000 of them.
The new maximum limits introduced with Windows Server 2008 R2 and Windows Server 2008 try to enforce the message that applications should adopt to the policies AD wants to enforce. You should adapt your LDAP application accordingly.
For the MaxValRange limitation you may consider the following MSDN information and samples for using ranged queries:
The following code example uses ranging to retrieve the members of a group using the IDirectoryObject interface:
The following code example uses ranging to retrieve the members of a group using the IDirectorySearch interface:
For MaxPageSize it is recommended to used paged queries, outlined on MSDN as follows:
There is a way to override these limitations, but we encourage to discuss the requirements with Microsoft customer technical support to decide if modifying the policies is the correct approach.
For more information about LDAP policies please visit
(http://go.microsoft.com/fwlink/?LinkId=151500)for other considerations.