Wednesday, September 21, 2011

Size does matter to Active Directory

I am working on a 200,000 user AD (large by Australian standards, about 10GB) and it got me thinking of limits and scale.

Domains and Domain controllers

  • There is a limit of 1,200 domain controllers due to SYSVOL FRS limits. This can be removed by moving to DFSr replication
  • Each domain controller in an Active Directory forest can create 2.15 billion objects during its lifetime
  • There is a limit of approximately 1 billion security identifiers (SIDs) over the life of a domain
  • OU names are limited to 64 characters
  • There is no limit to the depth of the OU structure
  • There is no limit to the number of users or other objects per OU
  • The maximum number of domains in a forest is 1200

Users and Groups

  • Display names are limited to 256 characters
  • Common names are limited to 64 characters
  • The SAM-Account-Name attribute (pre–Windows 2000 user logon name) is 256 characters in the schema. However, for backward compatibility the limit is 20 characters
  • Users, groups, and computer accounts can be members of a maximum of approximately 1,015 groups
  • Groups can have millions of members, and Microsoft scalability testing reached 500 million members. Use W2K8 mode.
  • The maximum recommended size for a Kerberos ticket is 65,535 bytes and when you get large tokens (think SIDHistory) this can cause issues with Sharepoint/IIS authentication.
  • A limit of 999 Group Policy objects (GPOs) that you can apply to a user account or computer account

Naming and locating

  • Fully qualified domain names (FQDNs) in Active Directory cannot exceed 64 characters in total length, including hyphens and periods (.) Longer DNS names are available BUT not valid in AD as resources
  • NetBIOS computer and domain names are limited to 15 characters.
  • Domain Name System (DNS) host names are limited to 24 characters.
  • LDAP bind operations limit the distinguished name (also known as DN) of the user to 255 total characters
  • Kerberos clients can traverse a maximum of 10 trust links to locate a requested resource in another domain. more than this and the attempt to access the resource fails


Sources: Primarily

And other places…

No comments:

Blog Archive