Sets the LDAP administration limits for the Default-Query Policy object. At the LDAP policies: prompt, type any of the parameters listed under Syntax.
Ntdsutil is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use ntdsutil, you must run the ntdsutil command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
For examples of how to use this command, see Examples.
Syntax
connections
{cancel changes | commit changes} {list | set %s1 to %s2 | show values}
Parameters
| Parameter | Description |
|---|---|
|
cancel changes |
Cancels any uncommitted modifications of the LDAP administration limits to the default query policy. |
|
commit changes |
Commits all modifications of the LDAP administration limits to the default query policy. |
|
connections |
Invokes the Server connections submenu. |
|
list |
Lists all supported LDAP administration limits for the domain controller. |
|
set %s1 to %s2 |
Sets the value of the LDAP administration limit %s1 to the value %s2. |
|
show values |
Shows the current and proposed values for the LDAP administration limits. |
|
%s |
An alphanumeric variable, such as a domain or domain controller name. |
|
quit |
Takes you back to the previous menu or exits the utility. |
|
? |
Displays help at the command prompt. |
|
Help |
Displays help at the command prompt. |
Remarks
- The following table lists and describes the LDAP administration
limits, with default values noted in parentheses.
Value Description InitRecvTimeout
Initial receive time-out (120 seconds)
MaxConnections
Maximum number of open connections (5000)
MaxConnIdleTime
Maximum amount of time a connection can be idle (900 seconds)
MaxNotificationPerConnection
Maximum number of notifications that a client can request for a given connection (5)
MaxPageSize
Maximum page size supported for LDAP responses (1000 records)
MaxQueryDuration
Maximum length of time the domain controller can execute a query (120 seconds)
MaxTempTableSize
Maximum size of temporary storage allocated to execute queries (10,000 records)
MaxResultSetSize
Maximum size of the LDAP Result Set (262144 bytes)
MaxPoolThreads
Maximum number of threads created by the domain controller for query execution (4 per processor)
MaxDatagramRecv
Maximum number of datagrams that can be processed by the domain controller simultaneously (1024)
MaxReceiveBuffer
The maximum size, in bytes, of a request that the server will accept. (10,485,760 bytes)
MaxValRange
The maximum number of values that can be retrieved from a multivalued attribute in a single search request (1500 values). This policy is only available in Windows Server 2003 and Windows Server 2008.
- To ensure that domain controllers can support service level
guarantees, you can specify operational limits for a number of
Lightweight Directory Access Protocol (LDAP) operations. These
limits prevent specific operations from adversely impacting the
performance of the server and also make the server resilient to
denial of service attacks.
LDAP policies are implemented by using objects of the class queryPolicy. Query Policy objects can be created in the container Query Policies, which is a child of the Directory Service container in the configuration directory partition. For example: CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services (configuration directory partition).
A domain controller uses the following three mechanisms to apply LDAP policies:
- A domain controller might refer to a specific LDAP policy. The
NTDS Settings object includes an optional attribute
queryPolicyObject, which contains the distinguished name of a Query
Policy.
- In the absence of a specific query policy being applied to a
domain controller, the domain controller applies the Query Policy
that has been assigned to the domain controller's site. The
ntDSSiteSettings object includes an optional attribute
queryPolicyObject, which contains the distinguished name of a Query
Policy.
- In the absence of a specific domain controller or site Query
Policy, a domain controller uses the default query policy named
Default-Query Policy.
A Query Policy object includes the multivalued attributes LDAPIPDenyList and LDAPAdminLimits. Ntdsutil allows the administrator to set the LDAP administration limits and IP Deny list for the Default-Query Policy object.
- A domain controller might refer to a specific LDAP policy. The
NTDS Settings object includes an optional attribute
queryPolicyObject, which contains the distinguished name of a Query
Policy.
Examples
To show the current ldap policy values, type:
ldap policy: show values