Topic Last Modified: 2005-11-17

The Microsoft® Exchange Server Analyzer Tool verifies the Lightweight Directory Access Protocol (LDAP) configuration of a domain controller by checking the attributes of the Default Query Policy object in the Query-Policies container in the Active Directory® directory service. If the Exchange Server Analyzer determines that the MaxPageSize value of the LDAPAdminLimits attribute has been changed from its default of 1000, a non-default configuration message is displayed.

The LDAP administrative limits balance the Active Directory operational capabilities and its performance. These limits prevent specific operations from adversely affecting the performance of the server, and also make the server resilient to denial of service attacks. Increasing this setting beyond its default value could have an adverse impact on your Active Directory infrastructure.

LDAP policies are implemented by using objects of the queryPolicy class. Query policy objects can be created in the Query-Policies container, which is a child of the Directory Service container in the configuration naming context.

The MaxPageSize value of the LDAPAdminLimits attribute controls the number of records that can be returned for an LDAP query. The default is 1000 records. If there are more than 1000 items returned, Active Directory will see this maximum value and will return nothing.

This limit controls the supportable numbers of several types of Active Directory objects. For example, each organization can have up to 1000 servers, up to 1000 administrative groups, and up to 1000 address lists; each administrative group can have up to 1000 routing groups; and each routing group can have up to 1000 connectors.

Unless you are instructed by Microsoft Product Support Services to use a different value, you should reset this value back to 1000.

To start Ntdsutil.exe

  1. Click Start, and then click Run.

  2. In the Open text box, type ntdsutil, and then press ENTER. To view Help at any time, type ? at the command prompt.

To view policy settings

  1. At the Ntdsutil.exe command prompt, type LDAP policies, and then press ENTER.

  2. At the LDAP policy command prompt, type connections, and then press ENTER.

  3. At the server connection command prompt, type connect to server DNS name of server, and then press ENTER. You want to connect to the server that you are currently working with.

  4. At the server connection command prompt, type q, and then press ENTER to return to the previous menu.

  5. At the LDAP policy command prompt, type Show Values, and then press ENTER.

    A display of the policies as they exist appears.

    Note:
    This procedure only shows the Default Domain Policy settings. If you apply your own policy setting, you cannot see it.

To change policy settings

  1. At the Ntdsutil.exe command prompt, type LDAP policies, and then press ENTER.

  2. At the LDAP policy command prompt, type Set MaxPageSize to 1000, and then press ENTER.

    You can use the Show Values command to verify your changes.

  3. To save the changes, use Commit Changes.

  4. When you finish, type q, and then press ENTER.

  5. To quit Ntdsutil.exe, at the command prompt, type q, and then press ENTER.

For more information about configuring LDAP policies, see the Microsoft Knowledge Base Article 315071, "How to view and set lightweight directory access protocol policies by using Ntdsutil.exe in Windows 2000" (http://go.microsoft.com/fwlink/?LinkId=3052&kbid=315071).