ldap query exeeds size limit

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi,
we are regurlary extracting all email adresses from AD to make a whitelist
for our mailexchanger (spam protection). To do so we had to apply the patch
described in KB 327049. After applying the latest updates (from last patch
day), we´re getting _size limit exceeded_ again. Reapplying the patch 327049
did not work.

Any suggestions ?


--
Assimilated you will be, yes. Futile resistance is. Yoda of Borg I am...
7 answers Last reply
More about ldap query exeeds size limit
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    This might be better posted in the ADSI news group.

    More information might be useful. I have not read 327049 just yet. I can
    only assume that it is the 1000 limit. This is a common problem. If I am
    not mistaken there is a line of code that you can enter in the script. Just
    do not have it right now....

    I *think* that it would be something like this:

    objComm.Properties("Page Size") = 1000

    where the '1000' would be set to something else....

    But I am not that good with ADSI so I might post it in the ADSI newsgroup.

    You might also want to post the code for those guys. Joe K and Joe R will
    be able to give you an answer very quickly!

    --
    Cary W. Shultz
    Roanoke, VA 24012
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "Martin Westphal" <MartinWestphal@discussions.microsoft.com> wrote in
    message news:A25EB21E-E399-41BE-A49E-66E25E752F2F@microsoft.com...
    > Hi,
    > we are regurlary extracting all email adresses from AD to make a whitelist
    > for our mailexchanger (spam protection). To do so we had to apply the
    > patch
    > described in KB 327049. After applying the latest updates (from last patch
    > day), we´re getting _size limit exceeded_ again. Reapplying the patch
    > 327049
    > did not work.
    >
    > Any suggestions ?
    >
    >
    > --
    > Assimilated you will be, yes. Futile resistance is. Yoda of Borg I am...
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    That KB confuses me, not sure what it would be fixing if we are talking about
    the normal object return limit. If the issue is around 1000 or so objects then
    you need to look at paging. Try using adfind (www.joeware.net) and see if you
    can download all values. If you can't, use the -exterr to get the extended error
    info and send it to my email (you can find it on my website) and I will take a
    peel at it.

    joe

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    www.joeware.net


    Martin Westphal wrote:
    > Hi,
    > we are regurlary extracting all email adresses from AD to make a whitelist
    > for our mailexchanger (spam protection). To do so we had to apply the patch
    > described in KB 327049. After applying the latest updates (from last patch
    > day), we´re getting _size limit exceeded_ again. Reapplying the patch 327049
    > did not work.
    >
    > Any suggestions ?
    >
    >
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    You can set the MaxPageSize value with ntdsutil, the default is 1000.
    http://support.microsoft.com/kb/315071

    "Martin Westphal" <MartinWestphal@discussions.microsoft.com> wrote in
    message news:A25EB21E-E399-41BE-A49E-66E25E752F2F@microsoft.com...
    > Hi,
    > we are regurlary extracting all email adresses from AD to make a whitelist
    > for our mailexchanger (spam protection). To do so we had to apply the
    > patch
    > described in KB 327049. After applying the latest updates (from last patch
    > day), we´re getting _size limit exceeded_ again. Reapplying the patch
    > 327049
    > did not work.
    >
    > Any suggestions ?
    >
    >
    > --
    > Assimilated you will be, yes. Futile resistance is. Yoda of Borg I am...
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Thanks - that solved my problem !

    Regards
    Martin
    --
    Assimilated you will be, yes. Futile resistance is. Yoda of Borg I am...


    "Simon Geary" wrote:

    > You can set the MaxPageSize value with ntdsutil, the default is 1000.
    > http://support.microsoft.com/kb/315071
    >
    > "Martin Westphal" <MartinWestphal@discussions.microsoft.com> wrote in
    > message news:A25EB21E-E399-41BE-A49E-66E25E752F2F@microsoft.com...
    > > Hi,
    > > we are regurlary extracting all email adresses from AD to make a whitelist
    > > for our mailexchanger (spam protection). To do so we had to apply the
    > > patch
    > > described in KB 327049. After applying the latest updates (from last patch
    > > day), we´re getting _size limit exceeded_ again. Reapplying the patch
    > > 327049
    > > did not work.
    > >
    > > Any suggestions ?
    > >
    > >
    > > --
    > > Assimilated you will be, yes. Futile resistance is. Yoda of Borg I am...
    >
    >
    >
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    You do not want to do this. The number of items returned per page is a tuning
    item and can drammatically impact domain controller performance and stability.
    As you grow you will keep wanting to increase this and you will do so right up
    until the point that you break the DCs and then you will be stuck looking at
    trying to come up with another solution which will be the right solution that
    you should have done in the first place.

    I am not just saying this because I think that will happen. I have dealt with
    several companies who have done it.

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    www.joeware.net


    Martin Westphal wrote:
    > Thanks - that solved my problem !
    >
    > Regards
    > Martin
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    OK, then what would you propose ? We need to get all active email adresses
    from AD, best is once per hour to be up to date when changes happen. ATM we
    have about 2500 adresses. Before we did this we have gotten tons of spam
    (topped about 900.000 Spam mails per hour - which killed our mailservers.)
    Someone used our domain for mail spoofing, and we got all the NDR´s. So we
    came up with a white list, only accepting mail for _existing_ recipients -
    traffic dropped down to a "normal" level (about 400 mails per hour). So...we
    need that list. Any suggestion on how to do it (retrieving that list)
    otherwise is appreciated !

    Best Regards

    Martin
    --
    Assimilated you will be, yes. Futile resistance is. Yoda of Borg I am...


    "Joe Richards [MVP]" wrote:

    > You do not want to do this. The number of items returned per page is a tuning
    > item and can drammatically impact domain controller performance and stability.
    > As you grow you will keep wanting to increase this and you will do so right up
    > until the point that you break the DCs and then you will be stuck looking at
    > trying to come up with another solution which will be the right solution that
    > you should have done in the first place.
    >
    > I am not just saying this because I think that will happen. I have dealt with
    > several companies who have done it.
    >
    > --
    > Joe Richards Microsoft MVP Windows Server Directory Services
    > www.joeware.net
    >
    >
    > Martin Westphal wrote:
    > > Thanks - that solved my problem !
    > >
    > > Regards
    > > Martin
    >
  7. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Again as mentioned in a couple of posts above, use an LDAP query tool or script
    that utilizes paging. I have used it in multiple enterprise level corporations
    enumerating literally hundreds of thousands of email addresses. You don't have
    to use that tool, it just shows that it can be done if it is done properly.

    Cary's post shows some info to search for to do it in an ADO script. You can
    also do with Net::LDAP in perl or any tool/scripting language that allows LDAP
    paging.

    For instance, my command line AD query tool Adfind (www.joeware.net)
    automatically does paging for all queries.


    Here is a little blurb on paging on the MS website.

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/paging_search_results.asp


    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    www.joeware.net


    Martin Westphal wrote:
    > OK, then what would you propose ? We need to get all active email adresses
    > from AD, best is once per hour to be up to date when changes happen. ATM we
    > have about 2500 adresses. Before we did this we have gotten tons of spam
    > (topped about 900.000 Spam mails per hour - which killed our mailservers.)
    > Someone used our domain for mail spoofing, and we got all the NDR´s. So we
    > came up with a white list, only accepting mail for _existing_ recipients -
    > traffic dropped down to a "normal" level (about 400 mails per hour). So...we
    > need that list. Any suggestion on how to do it (retrieving that list)
    > otherwise is appreciated !
    >
    > Best Regards
    >
    > Martin
Ask a new question

Read More

Active Directory Microsoft LDAP Windows