On 09/27/2012 02:38 PM, Steven Jones wrote:
Its also a forest wide setting....


Just to confirm - setting MaxPageSize higher allows winsync to pull every user, but this is an unacceptable solution because it applies to the entire tree rather than a subset and/or a particular user?


:/


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Thursday, 27 September 2012 3:57 p.m.
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

Hi,

Unable to get this to work on win2k3r2 even with enterprise admin permissions.

What I have found is this which Im about to try,

1. Use adsiedit.msc to bind to any domain controller.
2. Navigate through
Configuration
CN=Configuration,DC=<DomainName>,DC=COM
CN=Services
CN=Windows NT
CN=Directory Services
CN=Query-Policies
3. Double-click CN=Default Query Policy in the rght-hand pane.
4. Double-click LdapAdminLimits.
5. Select MaxPageSize and press Remove.
6. Modify the limit of MaxPageSize and press Add.
7. Press OK, Apply, and OK.
8. Close ADSI Edit.
9. After replication, the new limit should be available.

adsiedit is part of the ms support tools here,

http://www.microsoft.com/en-us/download/confirmation.aspx?id=7911



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: Natxo Asenjo [natxo.ase...@gmail.com]
Sent: Thursday, 27 September 2012 2:04 a.m.
To: Rob Crittenden
Cc: Steven Jones; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On Wed, Sep 26, 2012 at 5:46 AM, Rob Crittenden<rcrit...@redhat.com>  wrote:
Steven Jones wrote:
Hi,

I dont have a ldapmodify command for changing something in AD.

I have increased the only scope I/we know about which is the return of objects 
from a search inside the AD gui but that might be specific to that view tool.  
That is 2000 by default, Ive set 40000, I am testing it now, if that doesn't 
work....

Our best AD person is currently researching to see if its even possible to 
alter that hard code in AD.  The only way he can see is using a  windows/ad 
specific command line command to modify the internals of AD but he's never seen 
or read about doing it for this attribute.

sounds like you need to upgrade your MaxPageSize and LDAPAdminLimits
attribute of the Default Query Policy object in the Query-Policies
container. We needed to do this to be able to get more than 1000
objects from AD a long time ago.

The details I used back then were here:

http://technet.microsoft.com/en-us/library/aa998536.aspx


cmd.exe ->  ntdsutil.exe (on a domain controller)

At the Ntdsutil.exe command prompt, type LDAP policies, and then press ENTER.

show values [enter]
ldap policy: show values

Policy  Current(New)
MaxPoolThreads  4
MaxDatagramRecv         4096
MaxReceiveBuffer        10485760
InitRecvTimeout         120
MaxConnections  5000
MaxConnIdleTime         900
MaxPageSize     1000
MaxQueryDuration        120
MaxTempTableSize        10000
MaxResultSetSize        262144
MaxNotificationPerConn  5
MaxValRange     1500

We want to change MaxPageSize.

First we need to authenticate:
connections [enter]
set creds domain user pwd
connect to domain your.domain
q

then we got to ldap policy

set MaxPageSize to 2000
Commit Changes
quit
quit

--
natxo



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to