Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Managing Lightweight Directory Access Protocol Policies

To ensure that domain controllers can support service level guarantees, you need to specify operational limits for a number of Lightweight Directory Access Protocol (LDAP) operations. These limits prevent specific operations from adversely impacting the performance of the server and also make the server resilient to denial of service attacks.

LDAP policies are implemented by using objects of the class queryPolicy. Query Policy objects can be created in the container Query Policies, which is a child of the Directory Service container in the configuration naming context. For example: cn=Query-Policies, cn=Directory Service, cn=Windows NT, cn=Services < configuration naming context >.

A domain controller uses the following three mechanisms to apply LDAP policies:

  • A domain controller might refer to a specific LDAP policy. The nTDSASettings object includes an optional attribute queryPolicyObject, which contains the distinguished name of a Query Policy.

  • In the absence of a specific query policy being applied to a domain controller, the domain controller applies the Query Policy that has been assigned to the domain controller's site. The ntDSSiteSettings object includes an optional attribute queryPolicyObject, which contains the distinguished name of a Query Policy.

  • In the absence of a specific domain controller or site Query Policy, a domain controller uses the default query policy named Default-Query Policy.

A Query Policy object includes the multivalued attributes LDAPIPDenyList and LDAPAdminLimits. Ntdsutil allows the administrator to set the LDAP administration limits and IP Deny list for the Default-Query Policy object.

The LDAP administration limits (with defaults in parentheses) are the following:

InitRecvTimeout    Initial receive time-out (120 seconds).

MaxConnections    Maximum number of open connections (5000).

MaxConnIdleTime    Maximum amount of time a connection can be idle (900 seconds).

MaxActiveQueries    Maximum number of queries that can be active at one time (20).

MaxNotificationPerConnection    Maximum number of notifications that a client can request for a given connection (5).

MaxPageSize    Maximum page size supported for LDAP responses (1000 records).

MaxQueryDuration    Maximum length of time the domain controller can execute a query (120 seconds).

MaxTempTableSize    Maximum size of temporary storage allocated to execute queries (10,000 records).

MaxResultSetSize    Maximum size of the LDAP Result Set (262144 bytes).

MaxPoolThreads    Maximum number of threads created by the domain controller for query execution (4 per processor).

MaxDatagramRecv    Maximum number of datagrams that can be processed by the domain controller simultaneously (1024).

Table C.8 lists and describes the LDAP policies commands.

Table C.8 LDAP Policies Commands

Command

Description

Cancel

Cancels any uncommitted modifications of the LDAP administration limits to the default query policy.

Commit

Commits all modifications of the LDAP administration limits to the default query policy.

List

Lists all supported LDAP administration limits for the domain controller.

Set %s1 to %s2

Sets the value of the LDAP administration limit % s1 to the value % s2 .

Show values

Shows the current and proposed values for the LDAP administration limits.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.