Override the hardcoded LDAP Query limits introduced in Windows Server 2008 and Windows Server 2008 R2
This is Qasim Zaidi. First of all, welcome to my blog site.
Next, I am writing this blog (thanks to a colleague) since some of my customers are running into LDAP limitations which are now hardcoded in Windows Server 2008 and Windows Server 2008 R2. Though, ideally we would like to modify the paged queries but depending on the number of applications a customer might have, they might require months or even years to revamp their whole application coding strategy while in the meantime, they would also be upgrading their existing servers and domain controllers to Windows Server 2008 R2. So let's first see what we are talking about here...
According to https://support.microsoft.com/kb/2009267 titled Windows Server 2008 R2 or Windows Server 2008 domain controller returns only 5000 attributes in a LDAP response:
“An LDAP application may return less information when a query is sent to a Windows Server 2008 or Windows Server 2008 R2 domain controller than when sent to a Windows Server 2003 domain controller. The query results may appear truncated or incomplete. In some occasions you may not get any results.
If, for example, a LDAP application queries the members of a group, the Windows Server 2008 R2 or Windows Server 2008 domain controller only returns 5000 members, while the Windows Server 2003 domain controllers returns many more members…."
"… Hardcoded LDAP limitations have been introduced in Windows Server 2008 R2 and Windows Server 2008 to prevent overloading the domain controller”
What this means is that Windows Server 2008 R2 or Windows Server 2008 dictates MaxPageSize of 20,000 and MaxValRange of 5,000 therefore the maximum number of attributes a query can return is 5,000.
CAUTION: The below should be tested first for any impact on performance as stated in the above KB, and it is also recommended to use Paged Queries (RFC 2969), a standard which was introduced ~10 years ago.
To override the upper-limits introduced in Windows Server 2008/R2 and restore the old-style (no upper limit enforced behavior for LDAP Query Policy in Windows Server 2003), modify the dSHeuristic attribute in Active Directory. To do this, follow these steps:
1. Start ADSI Edit. To do this, open a command prompt in the Support Tools folder, type ADSIEDIT.MSC, press Enter
2. Right-click CN=Directory Service in the following location, and then click Properties: CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=forest root
3. Click the Attribute Editor tab, and then locate dSHeuristic in the Attributes list.
Note By default, the value of this attribute is not set.
4. Click dSHeuristic, and then click Edit.
5. Type 000000000100000001 in the Value box, and then click OK. See Note below.
6. Restart the Active Directory Domain Service (NTDS) or the domain controller.
Note If a value has already been set for this attribute, incorporate the existing settings into the new value. When you do this, note the following:
· The tenth character from the left must be 1. Twentieth bit must be 2, and so on.
· The eighteenth character from the left must be 1.
· None of the other characters of the existing value should be changed. For instance, if the existing value is 0000002 then the new value should be 000000200100000001
Microsoft Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows Server OS, Microsoft Exchange, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk. For more, please see below
Windows Server 2008 R2 or Windows Server 2008 domain controller returns only 5000 attributes in a LDAP response https://support.microsoft.com/kb/2009267
Change the LDAP Policy using NTDSUTIL, please follow https://support.microsoft.com/kb/315071
Please also see fLDAPBypassUpperBoundsOnLimits (2 bytes): dSHueristic Attribue