|
We
spent some MS Support $$ to research this question. What is widely known as fact
is really wrong.
This
is what we were told:
The
limit might be somewhere around 5000 but it depends on the size of Distinguished
Names that are the members of the group. If you look at the syntax for the
"member" attribute of a group, it stores the distinguished names of the users in
the group. It doesn't store the SID. You can verify this by using
ADSIEDIT.msc and look for yourself. The DN's can be of variable sizes depending
on where you place your usersid's in AD.
The
limitation is really in the replication code, it replicates the entire attribute
and it has a limit to the size of attribute that it can replicate. If you have
short DN's you can fit a lot more in the member attribute before it doesn't
work.
I
tested this and had over 10,000 users in a group and it still replicated ok. The
final thing we were told is there is no easy way detect when its too
big.
I
agree with a earlier message, use nested groups instead of one large
group.
Did
a google search...came up with the following:
When you
change a user-account attribute under NT 4.0, NT replicates the user's entire
record; AD replicates only the changed attribute. However, AD stores a group's
membership as one attribute. The list of a group's users and machines (yes,
groups can contain machine accounts in AD) resides in that attribute. The
catch is that attributes have a maximum size in the AD database, and AD
doesn't have room for more than 5000 SIDs in a group's membership attribute.
(This gotcha doesn't limit the built-in Domain Users group, however, which
apparently doesn't suffer from the 5000-member cap.)
An
interesting read, anyone else have any more information?
Regards,
Benton Chase Wink
-------------------------------------------------
Benton Chase Wink, CCNA
MCSE
McCombs School of
Business
LAN Administrator,
Network Team
512-471-9938
512-619-9016
A
global group is a global group, is a global group, is a global
group..
But if your script enumerated the groups within the group to find
nested members, then that would be reasonable to find
10,000
After my last response... I hesitate, but...
If
I'm not mistaken, I read somewhere that the Domain Users group (at least I
*think* it
was that one) isn't actually a group in the strictest sense of the
word.
Correct away... (crossing my fingers ;)
T.
-----------------------
Tony Bowman, MCSE, MCSA, CCNA
Harvest,
AL
[EMAIL PROTECTED]
Does this apply
to the "Domain Users" group ?!?
I ran a script
against our Domain and returned over 10,000 users that are a member of
"Domain Users"
-----Original
Message-----
From:
Hutchins, Mike [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04, 2002 2:46
PM
To:
'[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Active
Directory Limitations - max 5000 users per group?
The
5000 user limit is not a 5000 "user" limit, it is a 5000 Direct member limit.
I don't think anyone in their right mind would have 5000 users in one
group. I would suggest nesting them to make them more manageable
anyways.
FYI,
.NET removes this limitation for the nutty people.
-----Original
Message-----
From: AMAN,
ALICE L. (JSC-GT4) (NASA) [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04, 2002 1:34
PM
To:
'[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Active
Directory Limitations - max 5000 users per group?
Someone on
slashdot.org (pro-linux site) indicated real-world problems with
AD
"Groups aren't scalable, supporting
max 5000 users."
I
want to recommend that we keep our people directory flat but if groups
have a maximum of
5000
users, this will be an obstacle. Would anyone care to
comment?
-----Original
Message-----
From: Gil
Kirkpatrick [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04, 2002 11:49
AM
To:
'[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Active
Directory Limitations
Actually the size
of the directory itself doesn't really affect replication traffic (except
when you bring up a new domain controller). Its the amount of data that is
changed, and how frequently it is changed, that drives the replication
traffic.
-----Original
Message-----
From: T
Bowman [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04, 2002 9:04
AM
To:
[EMAIL PROTECTED]
Subject: RE: [ActiveDir] Active
Directory Limitations
I do not
believe there is a hard limit. I do know it is capable of handling
millions of objects.
However, keep
in mind that the size will affect replication and thus your
network.
-----------------------
Tony Bowman, MCSE,
MCSA, CCNA
Harvest, AL
[EMAIL PROTECTED]
-----Original
Message-----
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Eoin
Mooney
Sent: Tuesday,
June 04, 2002 10:48 AM
To:
'[EMAIL PROTECTED]'
Subject: [ActiveDir] Active
Directory Limitations
Hi all,
I know this is probably a very
general question , but is there a limit with relation to active
directory size.
Number of folders created , data stored
,etc,etc
Regards
Eoin
|
