RE: [ActiveDir] 1000 groups

[joe]

I take it you mean the issue for the originating write, not the replication correct? You can hit this even with a smaller originating write based on the version store depletion on the DC in question, that applies to any large updates I believe.   You can also bump against the default LDAP packet size issue as well, default max packet being 10MB (MaxReceiveBuffer=10485760).     joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, April 15, 2005 3:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1000 groups > Regular multivalue attributes still have a limitation on size. In 2K that is approximately ~850 members and in K3 that is approximately ~1300 members. I'd call these "entries" instead of members to avoid confusion...   Not sure if it was mentioned in another part of this thread, but it should be clear, that the version store limit also still applies to 2k3 linked attributes (such as group-memberships) when updating these => i.e. you shouldn't add or delete more than 5000 members at one time to these attributes, otherwise you'll risk hitting the version store limit just like you did in 2k.   /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Freitag, 15. April 2005 01:17 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1000 groups Not so much a myth as a general guideline. :o)   There are people who do and have broken in the 5000 group membership, and actually people who have broken sooner if you can believe newsgroup postings, and people who have exceeded the guideline and lived to tell about it. The issue is around version store and how it is being used on a particular DC at a particular time and the fact that it has to be used in replication but is also used when people are doing queries and updates. In 2K you replicate the entire member attribute (I think someone previously said this was object level replication, it is actually attribute level replication and with K3 for LV attributes it is value level replication) but in K3 linked value attributes are replicated at the value level instead of the attribute level.   Some people think that all multivalue groups are now cleared up in terms of they can have limitless size. This is incorrect, the "LVR fix" is only, again, for linked value attributes which are DN style attributes with forward/back links associated with them. Regular multivalue attributes still have a limitation on size. In 2K that is approximately ~850 members and in K3 that is approximately ~1300 members. Note that hitting that limit backs you into the object size limit as well so you can no longer add any attributes to any object that has hit the limit on a single multivalue (non-LV) attributes. You will see an admin limit exceeded error for every attribute add you try to do after that. You can update already existing attributes, you simply can't add more.     joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 12, 2005 4:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1000 groups Note that the hard limit in W2K of 5000 members is actually kind of a myth.  At my current employer, we had a group with 80K users on a W2K native domain and it actually did work, replication and all.   The major issue we ran into was trying to promo new DCs and do our 2K3 migration.  That was a near complete meltdown as a result of this one particular group.  Thus it is still a bad idea to break the recommendation, even if it can be made to work.  You’ll definitely regret it later.   Joe K.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jackson Shaw Sent: Tuesday, April 12, 2005 11:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1000 groups   Group memberships are replicated in W2K3 per object as opposed to the whole group. In w2k there is a hard limit of 5000 members per group but a group can be nested in another group giving you virtually unlimited group memberships. The problem in w2k is that a change to any one member of a group requires full replication of the group.   In w2k3 the limitation was removed and now just the change is replicated as opposed to the complete group. So, long and short is that group replication in w2k3 is not as serious an issue as it was in w2k.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 12, 2005 9:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1000 groups   5000 is the 'recommended' limitation for groups on both Win2k and Win2k3 - but that limitation is only due to replication issues with AD.   -Jon   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Fischer Sent: Tuesday, April 12, 2005 12:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 1000 groups Hi All: Can an AD user be a member of more that 1000 groups?  Someone told me that 1000 was an AD limitation.   Is that true? Thanks, --Brian         E-mail Full?  Check out our Exchange Tools!   Brian Fischer Microsoft Systems Consultant Quest Software 4320 Winfield Rd Suite 500 Warrenville, IL 60555 [EMAIL PROTECTED] tel: fax: mobile: 630-836-3160 949-754-8999 630-567-2825   Last year’s email – today’s key piece of evidence! Find it fast with Quest Recovery Manager for Exchange. Get your free Technical Brief on e-Discovery.       With Quest Software, you can expect more... more performance, more productivity, more value from your IT investments. Visit www.quest.com to learn how.   This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.