LDAP policies

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2008

Sets the Lightweight Directory Access Protocol (LDAP) administration limits for the Default-Query Policy object. At the LDAP policies: prompt, type any of the parameters listed under Syntax.

This is a subcommand of Ntdsutil and Dsmgmt. Ntdsutil and Dsmgmt are command-line tools that are built into Windows Server 2008 and Windows Server 2008 R2. Ntdsutil is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. Dsmgmt is available if you have the AD LDS server role installed. These tools are also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (https://go.microsoft.com/fwlink/?LinkID=177813).

To use either of these tools, you must run them from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.

Syntax

connections 
{cancel changes | commit changes} {list | set %s1 to %s2 | show values}

Parameters

Parameter Description

cancel changes

Cancels any uncommitted modifications of the LDAP administration limits to the default query policy.

commit changes

Commits all modifications of the LDAP administration limits to the default query policy.

connections

Invokes the Server connections submenu.

list

Lists all supported LDAP administration limits for the domain controller.

set %s1 to %s2

Sets the value of the LDAP administration limit %s1 to the value %s2.

show values

Shows the current and proposed values for the LDAP administration limits.

%s

An alphanumeric variable, such as a domain or domain controller name.

quit

Takes you back to the previous menu, or exits the utility.

?

Displays Help at the command prompt.

Help

Displays Help at the command prompt.

Remarks

  • The following table lists and describes the LDAP administration limits, with default values noted in parentheses.

    Value Description

    InitRecvTimeout

    Initial receive time-out (120 seconds)

    MaxConnections

    Maximum number of open connections (5000)

    MaxConnIdleTime

    Maximum amount of time a connection can be idle (900 seconds)

    MaxNotificationPerConnection

    Maximum number of notifications that a client can request for a given connection (5)

    MaxPageSize

    Maximum page size supported for LDAP responses (1000 records)

    MaxQueryDuration

    Maximum length of time the domain controller can execute a query (120 seconds)

    MaxTempTableSize

    Maximum size of temporary storage allocated to execute queries (10,000 records)

    MaxResultSetSize

    Maximum size of the LDAP Result Set (262144 bytes)

    MaxPoolThreads

    Maximum number of threads created by the domain controller for query execution (4 per processor)

    MaxDatagramRecv

    Maximum number of datagrams that can be processed by the domain controller simultaneously (1024)

    MaxReceiveBuffer

    The maximum size, in bytes, of a request that the server will accept (10,485,760 bytes)

    MaxValRange

    The maximum number of values that can be retrieved from a multivalued attribute in a single search request (1500 values). This policy is available only in Windows Server 2003 and Windows Server 2008.

  • To ensure that domain controllers can support service-level guarantees, you can specify operational limits for a number of LDAP operations. These limits prevent specific operations from adversely impacting the performance of the server and also make the server resilient to denial-of-service attacks.

    LDAP policies are implemented by using objects of the class queryPolicy. Query Policy objects can be created in the container Query Policies, which is a child of the Directory Service container in the configuration directory partition, for example, CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services (configuration directory partition).

    A domain controller uses the following three mechanisms to apply LDAP policies:

    • A domain controller might refer to a specific LDAP policy. The NTDS Settings object includes an optional attribute queryPolicyObject, which contains the distinguished name of a Query Policy.

    • In the absence of a specific query policy being applied to a domain controller, the domain controller applies the Query Policy that has been assigned to the domain controller's site. The ntDSSiteSettings object includes an optional attribute queryPolicyObject, which contains the distinguished name of a Query Policy.

    • In the absence of a specific domain controller or site Query Policy, a domain controller uses the default query policy named Default-Query Policy.

      A Query Policy object includes the multivalued attributes LDAPIPDenyList and LDAPAdminLimits. Ntdsutil allows the administrator to set the LDAP administration limits and IP Deny list for the Default-Query Policy object.

    • Ntdsutil does not correctly handle special characters, such as the apostrophe character ('), that you can enter at the ntdsutil: prompt at the command line. In some situations, there may be an alternative workaround. For more information, see local roles (https://go.microsoft.com/fwlink/?LinkId=157320).

Examples

To show the current ldap policy values, type the following command, and then press ENTER:

ldap policy: show values

Additional references

Command-Line Syntax Key

Dsmgmt

Ntdsutil

authoritative restore

configurable settings

DS behavior

files

group membership evaluation

ifm

LDAP policies

local roles

metadata cleanup

partition management

roles

security account management

semantic database analysis

set DSRM password

snapshot