THE LIMITATION FOR THE NUMBER OF ENTRIES IN A DISCRETIONARY ACCESS CONTROL LIST (DACL) OR A SECURITY ACCESS CONTROL LIST (SACL) OF AN ACTIVE DIRECTORY OBJECT USING THE NTSECURITYDESCRIPTOR ATTRIBUTE IS APPROXIMATELY 1,820 SECURITY PRINCIPALS (THAT IS, USER, GROUP, AND COMPUTER ACCOUNTS) CAN BE MEMBERS OF A MAXIMUM OF APPROXIMATELY 1,015 GROUPS. THIS LIMITATION IS DUE TO THE SIZE LIMIT FOR THE ACCESS TOKEN THAT IS CREATED FOR EACH SECURITY PRINCIPAL. THE LIMITATION IS NOT AFFECTED BY HOW THE GROUPS MAY OR MAY NOT BE NESTED. FULLY QUALIFIED DOMAIN NAMES (FQDNS) IN ACTIVE DIRECTORY CANNOT EXCEED 64 CHARACTERS IN TOTAL LENGTH, INCLUDING HYPHENS AND PERIODS (.).
NETBIOS COMPUTER AND DOMAIN NAMES ARE LIMITED TO 15 CHARACTERS. DOMAIN NAME SYSTEM (DNS) HOST NAMES ARE LIMITED TO 24 CHARACTERS. OU NAMES ARE LIMITED TO 64 CHARACTERS. DISPLAY NAMES ARE LIMITED TO 256 CHARACTERS. COMMON NAMES ARE LIMITED TO 64 CHARACTERS. THE SAM-ACCOUNT-NAME ATTRIBUTE (ALSO KNOWN AS THE PRE WINDOWS 2000 USER LOGON NAME) IS LIMITED TO 256 CHARACTERS IN THE SCHEMA. HOWEVER, FOR THE PURPOSE OF BACKWARD COMPATIBILITY THE LIMIT IS 20 CHARACTERS. DURING BINDS TO THE DIRECTORY, SIMPLE LDAP BIND OPERATIONS LIMIT THE DISTINGUISHED NAME (ALSO KNOWN AS DN) OF THE USER TO 255 TOTAL CHARACTERS. If you attempt a simple LDAP bind with more than 255 characters, you might experience authentication errors, such as the following: ERROR <49>: ldap_simple_bind_s() failed: Invalid Credentials Server error: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 57, v1771 Error 0x80090308 The token supplied to the function is invalid
You can avoid this issue by ensuring that the applications, scripts, and utilities that attempt to bind to your directory use secure LDAP binds. You can also avoid this issue by reducing the depth of the OU structure or the length of the OU names. For example, the following distinguished name is 261 characters: CN=BobKelly,OU=CorporateVicePresidents,OU=CorporateOffi cers,ou=viewofpugetsoundoffices,ou=topfloor,ou=building 1557,OU=CorporateCampus,OU=Redmond,OU=Washington,OU=Nor thwestern,ou=unitedstatesofamerica,ou=northamerica,dc=b usinessgroup,dc=humongousinsurance,dc=com If the OU Named CorporateVicePresidents is shortened to CVP, the Nistinguished Name for the user account BobKelly is only 242 characters. Trust limitations arise from the number of Trusted Domain Objects (TDOs), the Length of Trust Paths, and the ability of Clients to Discover Available Trusts. Limitations that apply include the following: KERBEROS CLIENTS CAN TRAVERSE A MAXIMUM OF 10 TRUST LINKS TO LOCATE A REQUESTED RESOURCE IN ANOTHER DOMAIN. IF THE TRUST path between the Domains exceeds this limit, the attempt to access the Domain fails. When a Client searches out a Trust Path, the Search is Limited to the Trusts that are established directly with a Domain and the Trusts that are Transitive within a Forest. Previous testing shows that the increased time to complete Trusted Domain Objects (TDOs)-related operations, such as Authentication Across Domains, deteriorates performance noticeably if the Active Directory implementation in an organization contains more than 2,400 Trusted Domain Objects (TDOs).
WHEN YOU WRITE SCRIPTS OR APPLICATIONS THAT PERFORM LDAP TRANSACTIONS, THE RECOMMENDED LIMIT IS TO PERFORM NO MORE THAN 5,000 OPERATIONS PER LDAP TRANSACTION. An LDAP transaction is a group of directory operations (such as Add, Delete, and Modify) that are treated as one unit. If your script or application performs more than 5,000 operations in a single LDAP transaction, you are at risk of running into resource limits and an operational time-out. If that happens, all the operations (changes, additions, and modifications) in the transaction are rolled back, which means that you lose all those changes. IN WINDOWS ACTIVE DIRECTORY ENVIRONMENTS, THE RECOMMENDED MAXIMUM NUMBER OF MEMBERS IN A GROUP IS 5,000. This recommendation is based on the number of concurrent atomic changes that can be committed in a Single Database Transaction. FOR WINDOWS 2000 SERVER, THE RECOMMENDED MAXIMUM NUMBER OF DOMAINS IN A FOREST IS 800. FOR WINDOWS SERVER 2003, THE RECOMMENDED MAXIMUM NUMBER OF DOMAINS WHEN THE FOREST FUNCTIONAL LEVEL IS SET TO WINDOWS SERVER 2003 (ALSO KNOWN AS FOREST FUNCTIONAL LEVEL 2) IS 1,200.
TO ENSURE RELIABLE RECOVERY OF SYSVOL, WE RECOMMEND A LIMIT OF 1200 DOMAIN CONTROLLERS PER DOMAIN. THE MAXIMUM RECOMMENDED SIZE FOR A KERBEROS TICKET IS 48,000 BYTES, WHICH IS CONFIGURED THROUGH THE MAXTOKENSIZE REG_DWORD VALUE IN THE REGISTRY (HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\LSA\K ERBEROS\PARAMETERS) OR THROUGH GROUP POLICY, AS DESCRIBED IN KB ARTICLE 938118. NOTE The Maximum Allowed Value of MaxTokenSize is 65,535 bytes. However, because of HTTP s base64 encoding of authentication context tokens, we do not recommend that you set the maxtokensize registry entry to a value larger than 48,000 bytes. Starting with Windows Server 2012, the default value of the MaxTokenSize registry entry is 48,000 bytes.