Windows Server 2008 and newer domain controller returns only 5000 values in a LDAP response

Article translations Article translations
Close Close
Article ID: 2009267 - View products that this article applies to.
Expand all | Collapse all

Symptoms

An LDAP application may return less information when a query is sent to a Windows Server 2008 or Windows Server 2008 R2 domain controller than when sent to a Windows Server 2003 domain controller. The query results may appear truncated or incomplete. In some occasions you may not get any results.

If, for example, a LDAP application queries the members of a group, the Windows Server 2008 R2 or Windows Server 2008 domain controller only returns 5000 members, while the Windows Server 2003 domain controllers returns many more members.

In both cases you may realize the same extended LDAP policy setting in NTDSUTIL required for the LDAP application. For more information about viewing the LDAP policy settings, click the following article number to view the article in the Microsoft Knowledge Base:

315071 How to view and set LDAP policy in Active Directory by using Ntdsutil.exe

Sample output:

ldap policy:  show values

Policy                          Current(New)

MaxPoolThreads                  4
MaxDatagramRecv               4096
MaxReceiveBuffer                10485760
InitRecvTimeout                  120
MaxConnections                  5000
MaxConnIdleTime               900
MaxPageSize                      50000
MaxQueryDuration               120
MaxTempTableSize             10000
MaxResultSetSize                262144
MinResultSets                      0
MaxResultSetsPerConn         0
MaxNotificationPerConn        5
MaxValRange                      25000

Note: On both domain controllers the setting MaxPageSize is set to 50000 (default 1000) and MaxValRange to 25000 (default 1500).

Cause

Internal LDAP limitations have been introduced in Windows Server 2008 R2 and Windows Server 2008 to prevent overloading the domain controller. These limits overwrite the LDAP policy setting when the policy value should be higher.

 LDAP setting  maximum value (hardcoded)
 MaxReceiveBuffer             20971520
 MaxPageSize                   20000
 MaxQueryDuration            1200
 MaxTempTableSize          100000
 MaxValRange                   5000

Therefore the effective setting for the above LDAP policy is MaxPageSize=50000 and MaxValRange=25000 on a Windows Server 2003 domain controller as configured in the LDAP policy but on a Windows Server 2008 R2 or Windows Server 2008 domain controller the hardcoded limits dictate MaxPageSize=20000 and MaxValRange=5000.

MaxValRange affects the number of attributes returned for a query. If you perform a LDAP query for the multi-valued attribute Member for a group object with more than 5000 members the Windows Server 2008 R2 or Windows Server 2008 domain controller will only return 5000 of them.

Resolution

The new maximum limits introduced with Windows Server 2008 R2 and Windows Server 2008 try to enforce the message that applications should adopt to the policies AD wants to enforce. You should adapt your LDAP application accordingly.

For the MaxValRange limitation you may consider the following MSDN information and samples for using ranged queries:

Range Retrieval of Attribute Values
http://msdn.microsoft.com/en-us/library/cc223242(PROT.10).aspx

The following code example uses ranging to retrieve the members of a group using the IDirectoryObject interface:

Example Code for Ranging with IDirectoryObject
http://msdn.microsoft.com/en-us/library/aa705923(VS.85).aspx

The following code example uses ranging to retrieve the members of a group using the IDirectorySearch interface:

Example Code for Ranging with IDirectorySearch
http://msdn.microsoft.com/en-us/library/aa705924(VS.85).aspx

For MaxPageSize it is recommended to used paged queries, outlined on MSDN as follows:

Paging Search Results
http://msdn.microsoft.com/en-us/library/aa367011(VS.85).aspx

ldap_create_page_control Function
http://msdn.microsoft.com/en-us/library/aa366547(VS.85).aspx

There is a way to override these limitations, but we encourage to discuss the requirements with Microsoft customer technical support to decide if modifying the policies is the correct approach.

More Information

For more information about LDAP policies please visit

LDAP Policies
http://msdn.microsoft.com/en-us/library/cc223376(PROT.10).aspx

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2009267 - Last Review: August 28, 2013 - Revision: 8.0
Applies to
  • Windows Server 2008 Standard
  • Windows Server 2008 Enterprise
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2012 Standard
  • Windows Server 2012 Essentials
Keywords: 
KB2009267

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com