ldap query exeeds size limit

[Guest]

Hi,
we are regurlary extracting all email adresses from AD to make a whitelist
for our mailexchanger (spam protection). To do so we had to apply the patch
described in KB 327049. After applying the latest updates (from last patch
day), we´re getting _size limit exceeded_ again. Reapplying the patch 327049
did not work.

Any suggestions ?

 

[Cary Shultz [A.D. MVP]]

This might be better posted in the ADSI news group.

More information might be useful. I have not read 327049 just yet. I can
only assume that it is the 1000 limit. This is a common problem. If I am
not mistaken there is a line of code that you can enter in the script. Just
do not have it right now....

I *think* that it would be something like this:

objComm.Properties("Page Size") = 1000

where the '1000' would be set to something else....

But I am not that good with ADSI so I might post it in the ADSI newsgroup.

You might also want to post the code for those guys. Joe K and Joe R will
be able to give you an answer very quickly!

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Joe Richards [MVP]]

That KB confuses me, not sure what it would be fixing if we are talking about
the normal object return limit. If the issue is around 1000 or so objects then
you need to look at paging. Try using adfind (www.joeware.net) and see if you
can download all values. If you can't, use the -exterr to get the extended error
info and send it to my email (you can find it on my website) and I will take a
peel at it.

joe

 

[Simon Geary]

You can set the MaxPageSize value with ntdsutil, the default is 1000.
http://support.microsoft.com/kb/315071

 

[Guest]

Thanks - that solved my problem !

Regards
Martin

 

[Joe Richards [MVP]]

You do not want to do this. The number of items returned per page is a tuning
item and can drammatically impact domain controller performance and stability.
As you grow you will keep wanting to increase this and you will do so right up
until the point that you break the DCs and then you will be stuck looking at
trying to come up with another solution which will be the right solution that
you should have done in the first place.

I am not just saying this because I think that will happen. I have dealt with
several companies who have done it.

 

[Guest]

OK, then what would you propose ? We need to get all active email adresses
from AD, best is once per hour to be up to date when changes happen. ATM we
have about 2500 adresses. Before we did this we have gotten tons of spam
(topped about 900.000 Spam mails per hour - which killed our mailservers.)
Someone used our domain for mail spoofing, and we got all the NDR´s. So we
came up with a white list, only accepting mail for _existing_ recipients -
traffic dropped down to a "normal" level (about 400 mails per hour). So...we
need that list. Any suggestion on how to do it (retrieving that list)
otherwise is appreciated !

Best Regards

Martin

 

[Joe Richards [MVP]]

Again as mentioned in a couple of posts above, use an LDAP query tool or script
that utilizes paging. I have used it in multiple enterprise level corporations
enumerating literally hundreds of thousands of email addresses. You don't have
to use that tool, it just shows that it can be done if it is done properly.

Cary's post shows some info to search for to do it in an ADO script. You can
also do with Net::LDAP in perl or any tool/scripting language that allows LDAP
paging.

For instance, my command line AD query tool Adfind (www.joeware.net)
automatically does paging for all queries.


Here is a little blurb on paging on the MS website.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/paging_search_results.asp