I would have to agree....I did testing
last night and put 9,000 users in a single GG. So it must be related to size,
since the DNs I used were 1,2,3,4 etc.
-----Original Message-----
From: David Stacer [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04, 2002 7:09
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Active
Directory Limitations - max 5000 users pergroup?
We spent some MS Support
$$ to research this question. What is widely known as fact is really wrong.
This is what we were
told:
The limit might be
somewhere around 5000 but it depends on the size of Distinguished Names that
are the members of the group. If you look at the syntax for the
"member" attribute of a group, it stores the distinguished names of
the users in the group. It doesn't store the SID. You can verify this by
using ADSIEDIT.msc and look for yourself. The DN's can be of variable sizes depending
on where you place your usersid's in AD.
The limitation is really
in the replication code, it replicates the entire attribute and it has a limit
to the size of attribute that it can replicate. If you have short DN's you can
fit a lot more in the member attribute before it doesn't work.
I tested this and had
over 10,000 users in a group and it still replicated ok. The final thing we
were told is there is no easy way detect when its too big.
I agree with a earlier
message, use nested groups instead of one large group.
-----Original
Message-----
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, June 04, 2002 4:44
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Active
Directory Limitations - max 5000 users pergroup?
Did a google
search...came up with the following:
When you change a user-account
attribute under NT 4.0, NT replicates the user's entire record; AD replicates
only the changed attribute. However, AD stores a group's membership as one
attribute. The list of a group's users and machines (yes, groups can contain
machine accounts in AD) resides in that attribute. The catch is that attributes
have a maximum size in the AD database, and AD doesn't have room for more than
5000 SIDs in a group's membership attribute. (This gotcha doesn't limit the
built-in Domain Users group, however, which apparently doesn't suffer from the
5000-member cap.)
An interesting read,
anyone else have any more information?
Benton Chase Wink
-------------------------------------------------
Benton Chase Wink, CCNA MCSE
McCombs School of Business
LAN Administrator, Network Team
512-471-9938
512-619-9016
-----Original
Message-----
[Benton Wink {winkb}]
From: Hutchins, Mike
[mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04, 2002 3:30
PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Active
Directory Limitations - max 5000 users pergroup?
A global group is a
global group, is a global group, is a global group..
But if your script
enumerated the groups within the group to find nested members, then that would
be reasonable to find 10,000
-----Original
Message-----
From: T Bowman
[mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04, 2002 2:26
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Active
Directory Limitations - max 5000 users per group?
After my last response...
I hesitate, but...
If I'm not mistaken, I
read somewhere that the Domain Users group (at least I *think* it
was that one) isn't
actually a group in the strictest sense of the word.
Correct away... (crossing
my fingers ;)
-----------------------
Tony Bowman, MCSE, MCSA, CCNA
Harvest, AL
[EMAIL PROTECTED]
-----Original
Message-----
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Parker, Edward
Sent: Tuesday, June 04, 2002 3:18
PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Active
Directory Limitations - max 5000 users per group?
Does this apply to the
"Domain Users" group ?!?
I ran a script against
our Domain and returned over 10,000 users that are a member of "Domain
Users"
-----Original Message-----
From: Hutchins, Mike
[mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04, 2002 2:46
PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Active
Directory Limitations - max 5000 users per group?
The 5000
user limit is not a 5000 "user" limit, it is a 5000 Direct
member limit. I don't think anyone in their right mind would have 5000 users in
one group. I would suggest nesting them to make them more manageable anyways.
FYI,
.NET removes this limitation for the nutty people.
-----Original
Message-----
From: AMAN, ALICE L. (JSC-GT4)
(NASA) [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04, 2002 1:34
PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Active
Directory Limitations - max 5000 users per group?
Someone
on slashdot.org (pro-linux site) indicated real-world problems with AD
"Groups aren't scalable, supporting max 5000
users."
I want
to recommend that we keep our people directory flat but if groups have a maximum
of
5000
users, this will be an obstacle. Would anyone care to comment?
-----Original
Message-----
From: Gil Kirkpatrick
[mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04, 2002 11:49
AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Active
Directory Limitations
Actually
the size of the directory itself doesn't really affect replication traffic
(except when you bring up a new domain controller). Its the amount of data that
is changed, and how frequently it is changed, that drives the replication
traffic.
-----Original
Message-----
From: T Bowman
[mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04, 2002 9:04
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Active
Directory Limitations
I
do not believe there is a hard limit. I do know it is capable of handling
millions of objects.
However,
keep in mind that the size will affect replication and thus your network.
-----------------------
Tony Bowman, MCSE, MCSA, CCNA
Harvest, AL
[EMAIL PROTECTED]
-----Original
Message-----
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eoin Mooney
Sent: Tuesday, June 04, 2002 10:48
AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Active Directory
Limitations
Hi all,
I know this is probably a very general question , but
is there a limit with relation to active directory size.
Number of folders created , data
stored ,etc,etc
Regards
Eoin
|
