środa, 18 kwietnia 2018

Active Directory Limitations

According to this Technet limits:

Maximum number of objects


- each AD Domain Controller can create up to 2.15 billion objects - due to DNT limit (Distinguished Name Tags) - including all objects replicated from all partitions stored on DC - we can create new DC to start with a new DNT number - start from zero; from Windows 2012 there is the attribute - approximateHighestInternalObjectID (RootDSE)
- SID or RID limit - 1 billion (up to Windows 2008R2) or 2 billion (from Windows 2012) per domain - this unique number of objects can be created in the lifetime of a domain - deleted accounts can't be refurbished so this limit can't be avoided - the only way is to migrate objects to a new domain - of course before reach of the limit - when the limit is reached - no new accounts can't be created including accounts for create trust;
- number of entries in DACL - approximately 1,820 (due to size limit 64kB);
- group membership for security principals - 1,015 - limit is only for security principals and size of the token - it is not connected with membership in distribution groups;

Name length limitations


- fqdn can't be longer than 65 characters including dots and other characters - so long domain names is not a good idea;
- MAX_PATH length up to 260 characters - for example to access GPO the total length of GPO files must fit in this limit, so if 65 characters can be used for domain name, you must include slashes, SYSVOL, group policy GUID and so on;
- NETBIOS name - 15 characters (plus one special, not visible);
- DNS host name - 24 characters;
- OU names - 64 characters;
- sAMAccountName - 20 characters (internally it is possible up to 255 characters);
- Simple bind name limit - up to 255 characters for distinguished name; Error <49>: ldap_simple_bind_s() failed: Invalid Credentials
Server error: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 57, v1771
Error 0x80090308 The token supplied to the function is invalid
(limit can be eliminated by using secure LDAP binds;
- number of GPO applied - up to 999 per user or computer - this is not a limit for total number of GPO per domain;

Trust limits


- Kerberos clients can traverse up to 10 trust links;
- only local trusts and transitive trusts are considered when something should be found;

LDAP limits


- up to 5,000 operations per transaction;
-
Autor: o
Etykiety: ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)