Active Directory - Work with huge AD trees

Friday, December 30, 2011 2 Comments

Recently we have experienced an issue when configuring the system authentication mode to Active Directory. The Active Directory tree contained more than 3000 entries.

By default, Active Directory allows fetching only 1000 entries foreach search request to the Active Directory Domain. The main reasons of this limit are security and performance.

If a search query to the Active Directory returns more than 1000 results, the ActiveDirectory throws an exception (sizelimitexception, LDAP error code 4).
Plastic SCM catches the exception and shows the following warning message:




At this point, there are three possible solutions to get a result:

  1. Close the warning message and specify a filter on the "Filter" textbox from the User Selection dialog.
    Doing this, Plastic SCM will filter the query to the Active Directory domain, and will retrieve less results than before.

    Constraints:
    - The specified filter has to return less than 1000 results.

  2. Specify a subdomain to the PlasticSCM server configuration instead of the entire Active Directory domain.
    Doing this, Plastic SCM server will query only for users and groups from the specified subdomain.

    Example:
    If you currently have configured your PlasticSCM server ActiveDirectory's domain to:
    "mycompany.com" (or "dc=mycompany,dc=com")
    Change it to:
    "developers.mycompany.com" (or "dc=developers,dc=mycompany,dc=com")
    You can perform this change through the server configuration wizard.




    Constraints:
    - All the PlasticSCM users must be contained on that subdomain
    - The list of users/group on the subdomain contains less than 1000 entries.

  3. Change the Active Directory's limit. You can do that by following this guide from Microsoft's Knowledge base: http://support.microsoft.com/kb/315071
    (Sections: "Starting Ntdsutil.exe", "Viewing current policy settings" and "Modifying policy settings").

    Mainly, the steps are the following:
    • Run "Ntdsutil.exe" on the Active Directory machine.
    • At the "Ntdsutil.exe" command prompt, type "LDAP policies"
    • At the "LDAP policy" command prompt, type "connections"
    • At the "server connection" command prompt, type "connect to server MYHOST.mydomain.com"
      Examples:
      "connect to server localhost"
      "connect to server ldapserver.archgroup.com"
    • At the "server connection" command prompt, type "q"
    • At the "LDAP policy" command prompt, type "Set MaxPageSize to NEW_VALUE"
      Example:"Set MaxPageSize to 3000"
    • At the "LDAP policy" command prompt, type "Commit Changes"
    • At the "LDAP policy" command prompt, type "q"
    • At the "Ntdsutil.exe" command prompt,type "q"


2 comments:

  1. Why not use Active Directory paging mechanism ?

    ReplyDelete
  2. At the moment, the paging mechanism is not implemented. The posted solutions works with current releases.

    ReplyDelete