Topic Last Modified: 2008-04-24

The Microsoft® Exchange Server Analyzer Tool verifies the Lightweight Directory Access Protocol (LDAP) configuration of a domain controller by checking the attributes of the Default Query Policy object in the Query-Policies container in the Active Directory® directory service. If the Exchange Server Analyzer determines that the MaxValRange value of the LDAPAdminLimits attribute has been changed from its default of 1500, a non-default configuration message is displayed.

The LDAP administrative limits balance the Active Directory operational capabilities and its performance. These limits prevent specific operations from adversely affecting the performance of the server, and also make the server resilient to denial of service attacks. Increasing or decreasing the default value could have an adverse impact on your Active Directory infrastructure.

LDAP policies are implemented by using objects of the queryPolicy class. Query policy objects can be created in the Query-Policies container, which is a child of the Directory Service container in the configuration naming context.

The MaxValRange value of the LDAPAdminLimits attribute value controls the number of values that are returned for an attribute of an object, independent of how many attributes that object has, or of how many objects were in the search result.

If this value is decreased below the default, some Exchange queries may not return complete results.

Unless you are instructed by Microsoft Customer Support Services to use a different value, you should reset this value back to its default value of 1500.

You can use Ntdsutil.exe to perform Active Directory database maintenance, manage and control single-master operations, and remove replication metadata left behind by domain controllers that are removed from the network without uninstalling Active Directory. The version of Ntdsutil that is included with Windows Server 2003 SP1 removes File Replication service (FRS) metadata in addition to Active Directory replication metadata. You can also use Ntdsutil to create application directory partitions and perform authoritative restore operations. This tool is intended for use by experienced administrators. Ntdsutil is included with Windows Server 2003 Service Pack 1 (SP1).

To start Ntdsutil.exe
  1. Click Start, and then click Run.

  2. In the Open text box, type ntdsutil, and then press ENTER. To view Help at any time, type ? at the command prompt.

To view policy settings
  1. At the Ntdsutil.exe command prompt, type LDAP policies, and then press ENTER.

  2. At the LDAP policy command prompt, type connections, and then press ENTER.

  3. At the server connection command prompt, type connect to server DNS name of server, and then press ENTER. You want to connect to the server that you are currently working with.

  4. At the server connection command prompt, type q, and then press ENTER to return to the previous menu.

  5. At the LDAP policy command prompt, type Show Values, and then press ENTER.

    A display of the policies as they exist appears.

    Note:
    This procedure only shows the Default Domain Policy settings. If you apply your own policy setting, you cannot see it.
To change policy settings
  1. At the Ntdsutil.exe command prompt, type LDAP policies, and then press ENTER.

  2. At the LDAP policy command prompt, type Set MaxValRange to 1500, and then press ENTER.

    You can use the Show Values command to verify your changes.

  3. To save the changes, use Commit Changes.

  4. When you finish, type q, and then press ENTER.

  5. To quit Ntdsutil.exe, at the command prompt, type q, and then press ENTER.

For more information about configuring LDAP policies, see the Microsoft Knowledge Base Article 315071, "How to view and set lightweight directory access protocol policies by using Ntdsutil.exe" (http://go.microsoft.com/fwlink/?LinkId=3052&kbid=315071)