MaxPageSize is set too high

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2005-11-17

The Microsoft® Exchange Server Analyzer Tool queries the Active Directory® directory service to determine the setting for the MaxPageSize value for the LDAPAdminLimits attribute of the Default Query Policy object in the Query-Policies container. If the Exchange Server Analyzer determines that the value for MaxPageSize is greater than 2,500, an error is displayed.

The Lightweight Directory Access Protocol (LDAP) administrative limits balance Active Directory operational capabilities and performance. These limits prevent specific operations from adversely affecting the performance of the server. The limits also make the server resilient to denial of service attacks. Increasing this setting beyond its default value could have an adverse impact on your Active Directory infrastructure.

LDAP policies are implemented by using objects of the queryPolicy class. Query policy objects can be created in the Query-Policies container, which is a child of the Directory Service container in the configuration naming context.

The MaxPageSize value of the LDAPAdminLimits attribute controls the number of records that can be returned for an LDAP query. The default number is 1,000 records. If there are more than 1,000 items returned, Active Directory sees this maximum value and will return nothing.

This limit controls the supportable numbers of several types of Active Directory objects. For example, each organization can have up to 1,000 servers, up to 1,000 administrative groups, and up to 1,000 address lists. Each administrative group can have up to 1,000 routing groups, and each routing group can have up to 1,000 connectors.

Unless you have been instructed by Microsoft Product Support Services to use a different value, you should set this value back to 1,000.

To start Ntdsutil.exe

  1. Click Start, and then click Run.

  2. In the Open text box, type ntdsutil, and then press ENTER. To view Help at any time, type ? at the command prompt.

To view policy settings

  1. At the Ntdsutil.exe command prompt, type LDAP policies, and then press ENTER.

  2. At the LDAP policy command prompt, type connections, and then press ENTER.

  3. At the server connection command prompt, type connect to server <DNS name of server>, and then press ENTER. Connect to the server that you are currently working with.

  4. At the server connection command prompt, type q, and then press ENTER to return to the previous menu.

  5. At the LDAP policy command prompt, type Show Values, and then press ENTER.

    A display of the policies as they exist appears.

    Note

    This procedure shows only the Default Domain Policy settings. If you apply your own policy setting, you cannot see it.

To change policy settings

  1. At the Ntdsutil.exe command prompt, type LDAP policies, and then press ENTER.

  2. At the LDAP policy command prompt, type Set MaxPageSize to 1000, and then press ENTER.

    You can use the Show Values command to verify your changes.

  3. To save the changes, use Commit Changes.

  4. When you finish, type q, and then press ENTER.

  5. To quit Ntdsutil.exe, at the command prompt, type q, and then press ENTER.

For more information about configuring LDAP policies, see the Microsoft Knowledge Base Article 315071, "How to view and set LDAP policy in Active Directory by using Ntdsutil.exe" (https://go.microsoft.com/fwlink/?LinkId=3052&kbid=315071).