The DC's LDAP interface supports various policies that can be configured by an administrator. The names of these policies are listed on the supportedLDAPPolicies attribute on the rootDSE. These policies are listed in the following table, which also lists which versions of Microsoft Windows® and Active Directory Application Mode (ADAM) support which policies.
|
Policy name
|
Microsoft Windows® 2000 operating system
|
Windows Server® 2003 operating system, ADAM, and Windows Server® 2008 operating system
|
Windows Server® 2008 R2 operating system
|
|
MaxActiveQueries
|
X*
|
|
|
|
InitRecvTimeout
|
X
|
X
|
X
|
|
MaxConnections
|
X
|
X
|
X
|
|
MaxConnIdleTime
|
X
|
X
|
X
|
|
MaxDatagramRecv
|
X
|
X
|
X
|
|
MaxNotificationPerConn
|
X
|
X
|
X
|
|
MaxPoolThreads
|
X
|
X
|
X
|
|
MaxReceiveBuffer
|
X
|
X
|
X
|
|
MaxPageSize
|
X
|
X
|
X
|
|
MaxQueryDuration
|
X
|
X
|
X
|
|
MaxResultSetSize
|
X
|
X
|
X
|
|
MaxTempTableSize
|
X
|
X
|
X
|
|
MaxValRange
|
|
X
|
X
|
|
MaxResultSetsPerConn
|
|
|
X
|
|
MinResultSets
|
|
|
X
|
* Support for this policy was removed in Windows Server 2003.
LDAP policies are specified using the lDAPAdminLimits attribute. The lDAPAdminLimits attribute of a queryPolicy object is a multivalued string where each string value encodes a name-value pair. In the encoding, the name and value are separated by an "=". For example, the encoding of the name "MaxActiveQueries" with value "0" is "MaxActiveQueries=0". Each name is the name of an LDAP policy, and the value is a value of that policy.
There can be multiple queryPolicy objects in a forest. A DC determines the queryPolicy object that contains its policies according to the following logic:
-
If the queryPolicyObject attribute is present on the DC's nTDSDSA object, the DC uses the queryPolicy object referenced by it.
-
Otherwise, if the queryPolicyObject attribute is present on the nTDSSiteSettings object for the site to which the DC belongs, the DC uses the queryPolicy object referenced by it.
-
Otherwise, the DC uses the queryPolicy object whose DN is "CN=Default Query Policy,CN=Query-Policies" relative to the nTDSService object (for example, "CN=Default Query Policy, CN=Query-Policies, CN=Directory Service, CN=Windows NT, CN=Services" relative to the root of the config NC.
The effect of setting an LDAP policy is outside the state model. The effect of each policy, as well as the default value used if the policy's value is not specified in an lDAPAdminLimits attribute, is shown in the following table.
|
Policy name
|
Default value
|
Description
|
|
MaxActiveQueries
|
20
|
The maximum number of concurrent LDAP search operations that are permitted to run at the same time on a DC. When this limit is reached, the DC returns a busy error ([RFC2251] section 4.1.10).
|
|
InitRecvTimeout
|
120
|
The maximum time, in seconds, that a DC waits for the client to send the first request after the DC receives a new connection. If the client does not send the first request in this amount of time, the server disconnects the client.
|
|
MaxConnections
|
5000
|
The maximum number of simultaneous LDAP connections that a DC will accept. If a connection comes in after the DC reaches this limit, the DC will drop another connection.
|
|
MaxConnIdleTime
|
900
|
The maximum time, in seconds, that the client can be idle before the DC closes the connection. If a connection is idle for more than this time, the DC disconnects the client.
|
|
MaxDatagramRecv
|
4096
|
The maximum size, in bytes, of a UDP datagram request that a DC will process. Requests that are larger than this value are ignored by the DC.
|
|
MaxNotificationPerConn
|
5
|
The maximum number of outstanding notification search requests (using the LDAP_SERVER_NOTIFICATION_OID control) that the DC permits on a single connection. When this limit is reached, the server returns a busy error ([RFC2251] section 4.1.10) to any new notification searches that are requested on that connection.
|
|
MaxPoolThreads
|
4
|
The maximum number of threads per processor that a DC dedicates to listening for network input or output. This value also determines the maximum number of threads per processor that can work on LDAP requests at the same time.
|
|
MaxReceiveBuffer
|
10,485,760
|
The maximum size, in bytes, of a request that the server will accept. If the server receives a request that is larger than this, it will drop the connection.
|
|
MaxPageSize
|
1000
|
The maximum number of objects that are returned in a single search result, independent of how large each returned object is. To perform a search where the result might exceed this number of objects, the client must specify the paged search control.
|
|
MaxQueryDuration
|
120
|
The maximum time, in seconds, that a DC will spend on a single search. When this limit is reached, the DC returns a timeLimitExceeded error ([RFC2251] section 4.1.10).
|
|
MaxResultSetSize
|
262,144
|
The maximum number of bytes that a DC stores to optimize the individual searches that make up a paged search. The data that is stored is outside the state model and is implementation-specific.
|
|
MaxTempTableSize
|
10,000
|
The maximum number of rows that a DC will create in a temporary database table to hold intermediate results during query processing.
|
|
MaxValRange
|
1500
|
The maximum number of values that can be retrieved from a multivalued attribute in a single search request. Windows 2000 DCs do not support this policy and instead always use a setting of 1000 values.
|
|
MaxResultSetsPerConn
|
10
|
The maximum number of individual paged searches per LDAP connection for which a DC will store optimization data. The data that is stored is outside the state model and is implementation-specific.
|
|
MinResultSets
|
3
|
The minimum number of individual paged searches for which a DC will store optimization data. The data that is stored is outside the state model and is implementation-specific.
|