Who we are

We are the developers of Plastic SCM, a full version control stack (not a Git variant). We work on the strongest branching and merging you can find, and a core that doesn't cringe with huge binaries and repos. We also develop the GUIs, mergetools and everything needed to give you the full version control stack.

If you want to give it a try, download it from here.

We also code SemanticMerge, and the gmaster Git client.

Active Directory - Work with huge AD trees

Friday, December 30, 2011 Jesus 2 Comments

Recently we have experienced an issue when configuring the system authentication mode to Active Directory. The Active Directory tree contained more than 3000 entries.

By default, Active Directory allows fetching only 1000 entries foreach search request to the Active Directory Domain. The main reasons of this limit are security and performance.

If a search query to the Active Directory returns more than 1000 results, the ActiveDirectory throws an exception (sizelimitexception, LDAP error code 4).
Plastic SCM catches the exception and shows the following warning message:




At this point, there are three possible solutions to get a result:

  1. Close the warning message and specify a filter on the "Filter" textbox from the User Selection dialog.
    Doing this, Plastic SCM will filter the query to the Active Directory domain, and will retrieve less results than before.

    Constraints:
    - The specified filter has to return less than 1000 results.

  2. Specify a subdomain to the PlasticSCM server configuration instead of the entire Active Directory domain.
    Doing this, Plastic SCM server will query only for users and groups from the specified subdomain.

    Example:
    If you currently have configured your PlasticSCM server ActiveDirectory's domain to:
    "mycompany.com" (or "dc=mycompany,dc=com")
    Change it to:
    "developers.mycompany.com" (or "dc=developers,dc=mycompany,dc=com")
    You can perform this change through the server configuration wizard.




    Constraints:
    - All the PlasticSCM users must be contained on that subdomain
    - The list of users/group on the subdomain contains less than 1000 entries.

  3. Change the Active Directory's limit. You can do that by following this guide from Microsoft's Knowledge base: http://support.microsoft.com/kb/315071
    (Sections: "Starting Ntdsutil.exe", "Viewing current policy settings" and "Modifying policy settings").

    Mainly, the steps are the following:
    • Run "Ntdsutil.exe" on the Active Directory machine.
    • At the "Ntdsutil.exe" command prompt, type "LDAP policies"
    • At the "LDAP policy" command prompt, type "connections"
    • At the "server connection" command prompt, type "connect to server MYHOST.mydomain.com"
      Examples:
      "connect to server localhost"
      "connect to server ldapserver.archgroup.com"
    • At the "server connection" command prompt, type "q"
    • At the "LDAP policy" command prompt, type "Set MaxPageSize to NEW_VALUE"
      Example:"Set MaxPageSize to 3000"
    • At the "LDAP policy" command prompt, type "Commit Changes"
    • At the "LDAP policy" command prompt, type "q"
    • At the "Ntdsutil.exe" command prompt,type "q"


Jesús González
I joined the Plastic team as a junior eons ago and I worked on almost every area since then. From importers to the latest Unity plugin, security to GitSync...
I play soccer, like cars, love telling near to true stories and I'm also learning to play electric guitar.
You can reach me at @ilovemerge.

2 comments:

  1. Why not use Active Directory paging mechanism ?

    ReplyDelete
  2. At the moment, the paging mechanism is not implemented. The posted solutions works with current releases.

    ReplyDelete