Limiting LDAP searches with MaxPageSize

Most administrators experience the effects of this parameter without even knowing why. For example, if you have ever attempted a search for an Active Directory object via an application or a command line search, but only received a partial list as if there was a limit to the search results returned -- well, there is a limit. It's called MaxPageSize.

Microsoft's KB315071 explains how to view and set LDAP policy in Active Directory by using Ntdsutil.exe. The article defines MaxPageSize like this:

MaxPageSize is one of several values defined in a default LDAP policy, called default query policy, which applies to the forest. The distinguished name (DN) tells you where the policy lives. The DN is and can be found via ADSI Edit as shown in Figure 1. Although you can see the Default Query Policy object, the values -- such as the one for MaxPageSize -- are not visible via ADSI Edit.

Figure 1
[IMAGE]

Why MaxPageSize is important

Poorly constructed LDAP queries can literally bring a domain controller to its knees by flooding port 389. It is basically a self-inflicted denial of service. The DC becomes unresponsive to other LDAP requests (authentication, etc.) because it's so busy servicing the query. An administrator who knows enough to be dangerous and performs a query on say (objectClass=User) in a large environment could do that, just as well as an application.

MaxPageSize, then, guarantees that you won't get more than 1,000 entries in a single search result. You can get the r

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Active Directory Tools and Troubleshooting Troubleshooting poor Windows logon performance in Active Directory environments New Operations Manager 2007 feature allows for automated agent deployments Taming the LSASS.exe process for Active Directory performance and security Active Directory FAQs Troubleshooting Active Directory database errors Troubleshooting a cross-forest trust in Active Directory Bad external time source stops Active Directory replication Time stamps change with daylight-saving time DNS troubleshooting tips for Active Directory How the DC locator works in Active Directory Active Directory Administration Using Active Directory to manage Macs in a Windows environment Troubleshooting poor Windows logon performance in Active Directory environments Common Active Directory security oversights Scripting domain controller installations: A must for Server Core Taming the LSASS.exe process for Active Directory performance and security Troubleshooting Active Directory database errors Active Directory database basics: Performing an offline defrag Branch office security: Pros and cons of read-only domain controllers Tips for Windows domain controller optimization How to rebuild the SYSVOL tree when none exists in Active Directory

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

esults you want by using paged search controls, which group the results in MaxPageSize limits. I have seen a number of cases where a well meaning admin has expanded this value to large numbers. This is extremely dangerous and can cause all sorts of errors and failures caused by a DC being unresponsive for a period of time.

Active Directory tools for MaxPageSize

While KB315071 details how to view the policy values via Ntdsutil.exe , Microsoft MVP Joe Richards developed the ADFind utility, which is much simpler and easier to use. To expose the value of MaxPageSize and other LDAP limits, use the following command (results follow): Microsoft's ExBPA (Exchange Best Practices Analyzer) tool checks for MaxPageSize and flags it as a critical issue if the value is more that 1,000. In another case, we found that MaxPageSize had been set to 50,000. This caused Exchange to break because the Global Catalog server was so overwhelmed with LDAP traffic that the Exchange server couldn't locate a GC. Remember, MaxPageSize is forest-wide and affects all LDAP servers.

The best practice for setting MaxPageSize is to leave it alone. However, if someone does set it to a high value, you can easily reset it by using Joe Richard's AdMod tool from www.joeware.net.

First, use the ADFind command noted previously in this article to determine the value of MaxPageSize. Then use the following command to set MaxPageSize back to 1,000:

Do you have an Active Directory issue or problem that you'd like Gary to write an article about? Email him at glo11749@yahoo.com. Note: Gary cannot answer each query personally or guarantee that all will be answered. However those queries that have widespread interest or involve common AD issues will be addressed.

Gary Olsen is a systems software engineer for Hewlett-Packard in Global Solutions Engineering. He authored Windows 2000: Active Directory Design and Deployment and co-authored Windows Server 2003 on HP ProLiant Servers. Gary is a Microsoft MVP for Directory Services and formerly for Windows File Systems.

Rate this Tip To rate tips, you must be a member of SearchWindowsServer.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.