LDAP policies

Applies To: Windows Server 2003,Windows Server 2003,Windows Server 2003 R2,Windows Server 2003 R2,Windows Server 2008,Windows Server 2008,Windows Server 2003 with SP1,Windows Server 2003 with SP1

Sets the Lightweight Directory Access Protocol (LDAP) administration limits for the Default-Query Policy object. At the LDAP policies: prompt, type any of the parameters listed under Syntax.

This is a subcommand of Ntdsutil and Dsmgmt. Ntdsutil and Dsmgmt are command-line tools that are built into Windows Server 2008 and Windows Server 2008 R2. Ntdsutil is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. Dsmgmt is available if you have the AD LDS server role installed. These tools are also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (http://go.microsoft.com/fwlink/?LinkID=177813).

To use either of these tools, you must run them from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.

Syntax

	$lib:\\ldappolicies11.bmp$ Copy Code
connections {cancel changes \| commit changes} {list \| set %s1 to %s2 \| show values}

Parameters

Parameter	Description
cancel changes	Cancels any uncommitted modifications of the LDAP administration limits to the default query policy.
commit changes	Commits all modifications of the LDAP administration limits to the default query policy.
connections	Invokes the Server connections submenu.
list	Lists all supported LDAP administration limits for the domain controller.
set %s1 to %s2	Sets the value of the LDAP administration limit %s1 to the value %s2.
show values	Shows the current and proposed values for the LDAP administration limits.
%s	An alphanumeric variable, such as a domain or domain controller name.
quit	Takes you back to the previous menu, or exits the utility.
?	Displays Help at the command prompt.
Help	Displays Help at the command prompt.

Remarks

The following table lists and describes the LDAP administration limits, with default values noted in parentheses.

Value	Description
InitRecvTimeout	Initial receive time-out (120 seconds)
MaxConnections	Maximum number of open connections (5000)
MaxConnIdleTime	Maximum amount of time a connection can be idle (900 seconds)
MaxNotificationPerConnection	Maximum number of notifications that a client can request for a given connection (5)
MaxPageSize	Maximum page size supported for LDAP responses (1000 records)
MaxQueryDuration	Maximum length of time the domain controller can execute a query (120 seconds)
MaxTempTableSize	Maximum size of temporary storage allocated to execute queries (10,000 records)
MaxResultSetSize	Maximum size of the LDAP Result Set (262144 bytes)
MaxPoolThreads	Maximum number of threads created by the domain controller for query execution (4 per processor)
MaxDatagramRecv	Maximum number of datagrams that can be processed by the domain controller simultaneously (1024)
MaxReceiveBuffer	The maximum size, in bytes, of a request that the server will accept (10,485,760 bytes)
MaxValRange	The maximum number of values that can be retrieved from a multivalued attribute in a single search request (1500 values). This policy is available only in Windows Server 2003 and Windows Server 2008.

To ensure that domain controllers can support service-level guarantees, you can specify operational limits for a number of LDAP operations. These limits prevent specific operations from adversely impacting the performance of the server and also make the server resilient to denial-of-service attacks.

LDAP policies are implemented by using objects of the class queryPolicy. Query Policy objects can be created in the container Query Policies, which is a child of the Directory Service container in the configuration directory partition, for example, CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services (configuration directory partition).

A domain controller uses the following three mechanisms to apply LDAP policies:
A domain controller might refer to a specific LDAP policy. The NTDS Settings object includes an optional attribute queryPolicyObject, which contains the distinguished name of a Query Policy.
In the absence of a specific query policy being applied to a domain controller, the domain controller applies the Query Policy that has been assigned to the domain controller's site. The ntDSSiteSettings object includes an optional attribute queryPolicyObject, which contains the distinguished name of a Query Policy.
In the absence of a specific domain controller or site Query Policy, a domain controller uses the default query policy named Default-Query Policy.

A Query Policy object includes the multivalued attributes LDAPIPDenyList and LDAPAdminLimits. Ntdsutil allows the administrator to set the LDAP administration limits and IP Deny list for the Default-Query Policy object.
Ntdsutil does not correctly handle special characters, such as the apostrophe character ('), that you can enter at the ntdsutil: prompt at the command line. In some situations, there may be an alternative workaround. For more information, see local roles (http://go.microsoft.com/fwlink/?LinkId=157320).