I was actually looking at notes from an upgrade and had the wrong domain..doh
A domain that started out as and still is 2003 matches Chris’s numbers exactly: MaxDatagramRecv 4096, MaxValRange 1500 2 domains that have gone from NT-200o-2003-2008R2 show: MaxDatagramRecv 1024, MaxValRange 0 All other values in all 3 of the domains match Chris’s exactly Once again proved I can do 2 or 3 things simultaneously but not 4. Apologize for any confusion From: [email protected] [mailto:[email protected]] On Behalf Of Charles F Sullivan Sent: Thursday, August 27, 2015 9:15 AM To: [email protected] Subject: RE: [NTSysADM] AD LDAP Policies 2012 R2 Do you mean that your results match Christopher’s? (MaxDatagramRecv 4096, MaxValRange 1500) If so, are you at 2008 R2? (I think yes on both, but I want to confirm.) I ask because I’ve so far been able to check five Windows 2012 R2 domains now. What I’m finding is: Ones which started out as Windows 2000 and are at 2012 R2 show MaxDatagramRecv 1024, MaxValRange 0. Ones which started out as Windows 2003 and are at 2012 R2 show MaxDatagramRecv 4096, MaxValRange 1500. In any case, thanks much for the other information. It may be helpful and I’ll check it out when I have time. It may answer my question as to whether I can ignore this or if it’s an actual issue that needs to be corrected. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Free Jr., Bob Sent: Thursday, August 27, 2015 11:31 AM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] AD LDAP Policies 2012 R2 That matches my main domain that has had the same path (except it originated as NT) and has never been tweaked manually. I believe this is still relevant in 2012 WRT the case that newer limits overwrite the LDAP policy setting. Windows Server 2008 and newer domain controller returns only 5000 values in a LDAP response https://support.microsoft.com/en-us/kb/2009267<https://urldefense.proofpoint.com/v2/url?u=https-3A__support.microsoft.com_en-2Dus_kb_2009267&d=BQMFaQ&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=m9T74hN__NJUL_VOFG274dgPUZxquQSwcVQ1CaZfLSY&s=Qx1VM7WMycfe2Xp_sH3bI5preFIJjihg2ZULW1d1v54&e=> It’s also useful to keep in mind that there are some other methods to set policy, obscure but possible and worthy of consideration if you don’t have a 100% grasp of what *may* have transpired in an environment A domain controller uses the following three mechanisms to apply LDAP policies: A domain controller might refer to a specific LDAP policy. The NTDS Settings object includes an optional attribute queryPolicyObject, which contains the distinguished name of a Query Policy. In the absence of a specific query policy being applied to a domain controller, the domain controller applies the Query Policy that has been assigned to the domain controller's site. The ntDSSiteSettings object includes an optional attribute queryPolicyObject, which contains the distinguished name of a Query Policy. In the absence of a specific domain controller or site Query Policy, a domain controller uses the default query policy named Default-Query Policy. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Christopher Bodnar Sent: Wednesday, August 26, 2015 1:58 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] AD LDAP Policies 2012 R2 Not up to 20012 R2 yet, at 2008 R2, but have upgraded from 2000-->2003-->2008 R2. Here are the current values: Policy Current(New) MaxPoolThreads 4 MaxDatagramRecv 4096 MaxReceiveBuffer 10485760 InitRecvTimeout 120 MaxConnections 5000 MaxConnIdleTime 900 MaxPageSize 1000 MaxQueryDuration 120 MaxTempTableSize 10000 MaxResultSetSize 262144 MinResultSets 0 MaxResultSetsPerConn 0 MaxNotificationPerConn 5 MaxValRange 1500 ThreadMemoryLimit 0 SystemMemoryLimitPercent 0 From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Charles F Sullivan Sent: Wednesday, August 26, 2015 11:58 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] AD LDAP Policies 2012 R2 We have a single domain/forest at Windows 2012 R2 functional level. This began 14 years ago as a Windows 2000 domain. (Actually it was originally migrated from NT 4, but I don’t think that would be a factor.) In checking the LDAP policies using ntdsutil, I see at least 5 settings that are non-default. An example is MaxValRange = 0. The default is 1500. Is there anyone else out there running a Windows 2012 R2 domain who is aware of these settings in their own environment, or who would be willing to check? Particularly helpful may be someone whose domain started out as Windows 2000. Does anyone know if this is expected or normal? Thanks for any help with this. Charlie Sullivan Sr. Windows Systems Administrator ________________________________ ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.
