In troubleshooting an issue with a third party application which uses AD authentication, I needed to check the MaxConnections in the LDAP policies. I found that MaxConnections was set to the default of 5000, so that was exactly as expected.

However, in checking these policies using ntdsutil,  I noticed some settings which are not at default on our DCs:

MaxDatagramRecv = 1024 (default 4096)

MinResultSets = 0 (default 3)

MaxResultSetsPerConn = 0 (default 10)

MaxValRange = 0 (default 1500)

MinResultSets = 0 (default 3)

MaxBatchReturnMessages = 0 (default 1100)

We have a Windows 2012 R2 domain/forest functional level. It began long ago as a Windows 2000 domain, then to 2003, 2008 R2, 2012 R2.

I'm hoping someone can answer as to whether these values can be expected in our scenario.

Hi,

I have checked LDAP policies on my testing environment with 2012 R2 domain and forest functional level, and I havent changed any LDAP polices, here is the output below:

Compared to your LDAP policy results, only MaxDatagramRecv, MaxValRange have different values.

As the way I see it, these values could be changed by administrators, you may change them to default values using Set option from ntdsutil.

More information for you:

LDAP policies

https://technet.microsoft.com/en-us/library/cc770976.aspx?f=255&MSPPError=-2147217396

MaxValRange Is Non-Default

https://technet.microsoft.com/en-us/library/cc540450%28v=exchg.80%29.aspx?f=255&MSPPError=-2147217396

Best Regards,

Amy

Thanks, that is helpful. However, I did the exact same thing last night in my own test Windows 2012 R2 AD and I got the exact same settings as here in production:

Policy                          Current(New)
MaxPoolThreads                  4
MaxPercentDirSyncRequests       0
MaxDatagramRecv                 1024
MaxReceiveBuffer                10485760
InitRecvTimeout                 120
MaxConnections                  5000
MaxConnIdleTime                 900
MaxPageSize                     1000
MaxBatchReturnMessages          0
MaxQueryDuration                120
MaxTempTableSize                10000
MaxResultSetSize                262144
MinResultSets                   0
MaxResultSetsPerConn            0
MaxNotificationPerConn          5
MaxValRange                     0
MaxValRangeTransitive           0
ThreadMemoryLimit               0
SystemMemoryLimitPercent        0

My test environment (which is also default) has nothing at all to do with the prod environment here, but one commonality is that they both started long ago as Windows 2000 domains, then 2003, 2008 R2, 2012 R2. My guess is that this is the reason.

I'm going to leave the settings as they are.

• Proposed as answer by Amy Wang_Microsoft contingent staff, Moderator 4 hours 35 minutes ago

Update to this....

I have been able to check two more 2012 R2 AD domains. One started out as Windows 2000 and the other started out as Windows 2003. Here are the results of everything I've checked:

Three domains which originally were Windows 2000 - MaxDatagramRecv: 1024; MaxValRange:0

Domain which originally was Windows 2003 - MaxDatagramRecv: 4096; MaxValRange: 1500

(I'm guessing that your test domain did not begin as Windows 2000.)

I think we can surmise that this issue occurs when the forest was originally Windows 2000, but it doesn't seem to show up until the domain is at Windows 2012(R2). I really need to know whether I can just leave this as is, or if it's an actual problem that should be corrected.

• Proposed as answer by Amy Wang_Microsoft contingent staff, Moderator 4 hours 46 minutes ago

Hi,

Seems like the culprit has been found.

(I'm guessing that your test domain did not begin as Windows 2000.)

No, my testing domain was built with Windows 2012 R2 servers.

I really need to know whether I can just leave this as is, or if it's an actual problem that should be corrected.

I dont think that we can leave the value of MaxValRange to 0, since MaxValRange value of the LDAPAdminLimits attribute value controls the number of values that are returned for an attribute of an object, leave it to 0 would result in none attribute value returned for LDAP query.

Therefore, please set MaxValRange to 1500.

As for the other one MaxDatagramRecv, which indicates the maximum size of a datagram request that a domain controller will process, we can leave it as it is.

More information for you:

How to view and set LDAP policy in Active Directory by using Ntdsutil.exe

https://support.microsoft.com/en-us/kb/315071

Best Regards,

Amy