Windows Server 2008 and newer domain controller returns only 5000 values in an LDAP response
Article
01/15/2025
This article provides a solution to an issue where the Windows Server 2008 R2 or newer domain controller only returns 5000 values for an LDAP response.
Original KB number: 2009267
Symptoms
An LDAP application may return less information when a query is sent to a Windows Server 2008 or Windows Server 2008 R2 domain controller than when sent to a Windows Server 2003 domain controller. The query results may appear truncated or incomplete. In some occasions, you may not get any results.
For example, if an LDAP application queries the members of a group, the Windows Server 2008 R2 or Windows Server 2008 domain controller only returns 5000 members, while the Windows Server 2003 domain controllers return many more members.
In both cases, you may realize the same extended LDAP policy setting in NTDSUTIL required for the LDAP application. For more information about viewing the LDAP policy settings, click the following article number to view the article in the Microsoft Knowledge Base:
315071 How to view and set LDAP policy in Active Directory by using Ntdsutil.exe
On both domain controllers, the setting MaxPageSize is set to 50000 (default 1000) and MaxValRange to 25000 (default 1500).
Cause
Internal LDAP limitations have been introduced in Windows Server 2008 R2 and Windows Server 2008 to prevent overloading the domain controller. These limits overwrite the LDAP policy setting when the policy value should be higher.
LDAP setting
maximum value (hardcoded)
MaxReceiveBuffer
20971520
MaxPageSize
20000
MaxQueryDuration
1200
MaxTempTableSize
100000
MaxValRange
5000
Therefore the effective setting for the above LDAP policy is MaxPageSize=50000 and MaxValRange=25000 on a Windows Server 2003 domain controller as configured in the LDAP policy but on a Windows Server 2008 R2 or Windows Server 2008 domain controller the hardcoded limits dictate MaxPageSize=20000 and MaxValRange=5000.
MaxValRange affects the number of attributes returned for a query. If you perform an LDAP query for the multi-valued attribute Member for a group object with more than 5000 members the Windows Server 2008 R2 or Windows Server 2008 domain controller will only return 5000 of them.
Resolution
The new maximum limits introduced with Windows Server 2008 R2 and Windows Server 2008 try to enforce the message that applications should adopt to the policies AD wants to enforce. You should adapt your LDAP application accordingly.
For the MaxValRange limitation you may consider the following MSDN information and samples for using ranged queries:
Range Retrieval of Attribute Values
https://msdn.microsoft.com/library/cc223242(PROT.10).aspx
The following code example uses ranging to retrieve the members of a group using the IDirectoryObject interface:
Example Code for Ranging with IDirectoryObject
https://msdn.microsoft.com/library/aa705923(VS.85).aspx
The following code example uses ranging to retrieve the members of a group using the IDirectorySearch interface:
Example Code for Ranging with IDirectorySearch
https://msdn.microsoft.com/library/aa705924(VS.85).aspx
For MaxPageSize it is recommended to used paged queries, outlined on MSDN as follows:
Paging Search Results
https://msdn.microsoft.com/library/aa367011(VS.85).aspx
ldap_create_page_control Function
https://msdn.microsoft.com/library/aa366547(VS.85).aspx
There is a way to override these limitations, but we encourage to discuss the requirements with Microsoft customer technical support to decide if modifying the policies is the correct approach.
Determine the best approach to moving domain controllers to Windows Server 2025. Learn how the Active Directory Migration Tool can consolidate domains within a forest or migrate domains to a new AD DS forest.