RE: [ActiveDir] Exceeding the LDAP Look Through Limit

[Eric Fleischman]

Putting me on CC is the way to get me to notice it faster. It hits a search folder that I watch that way.   In w2k we had a non-linked value limit of ~850 values. In 2k03 that moved to ~1300. Since we can have interop, we need to make sure we don’t break 2k when you introduce 2k03 so you don’t get the new ~1300 limit until you increase forest functional level to at least 1.   Error you get on 2k when you exceed ~850 is JET_errRecordTooBig (-1026 if I remember correctly). On 2k03 if you exceed ~850 pre-forest functional level increase you get JET_errRecordTooBigForBackwardCompatibility, then if you increase forest functional level and try to exceed ~1300 I believe you get JET_errRecordTooBig again. ~Eric     From: joe [mailto:[EMAIL PROTECTED] Sent: Sunday, August 01, 2004 5:43 PM To: [EMAIL PROTECTED] Cc: Eric Fleischman Subject: RE: [ActiveDir] Exceeding the LDAP Look Through Limit   Ah, I was chatting with ~Eric on this exact issue previously about adding too many attributes to a single multivalued attribute. Once I hit the limit (around 850 or so attributes on 2K) I couldn't add any new attributes to anything, only modify existing.... We never went anywhere on that discussion and I am curious why this happens.   Since ~Eric hasn't responded to this I am guessing he lost the thread so I am going to do the Bat~Eric Call...     CARTE BLANCHE!      joe :o)   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Brashear Sent: Friday, July 23, 2004 9:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exceeding the LDAP Look Through Limit Ok, he created one user-defined ou , and added an object in that container. Next, he opened ADSI edit , and added attributes for that object.  For example he has 3 attributes, and added 300 values for each attributes.   If he adds more than this values, the limit exceeded message appears:  I received following error message ----- "The Administrative limit for this request was exceeded" ----- OS is win2k server sp4   Thanks for your help!   Steve   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Thursday, July 22, 2004 9:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exceeding the LDAP Look Through Limit   I could probably tell you which admin limit you’re exceeding if you tell me the OS version & service pack level.   Most admin limits are there to protect perf of the box & prevent against DoS attacks. Better than changing the limits would be to change the query to use LDAP RFC compliant ways to performing the action w/o changing lmits. For example, if the limit is # of objects returned per page, rather than using a huge page you’d do a paged search.   So the questions that would be of interest: 1)       OS and service pack level 2)       What is the action being performed (as an example, if this is a search, baseDN + scope + filter)   Thanks! ~Eric     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Brashear Sent: Thursday, July 22, 2004 10:40 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Exceeding the LDAP Look Through Limit   I have a customer who has created an OU and populated it with objects that have many attributes.  He is now encountering this error:   "[LDAP: error code 11 - 00002024: SvcErr: DSID-02050AA0, problem 5008 (ADMIN _LIMIT_EXCEEDED), data -1026 ]; remaining name 'cn=CN\=JPRAKASH\,CN\=Computers\,DC\=jupiter\,DC\=lan,ou=S ubscriptions,dc=jupiter,dc=lan'"   Is there a maximum size limitation for user defined objects in AD? Can that value be modified? Where would one modify it?  Would it be in the LDAP policies/protocols configuration?   TIA! Steve