Yeah, that's why I said trivial. As you say, even with limits, there are things you can do to slow down servers as to get close to a DoS situation. We found this out a few weeks ago with the W32.Gaobot.WX virus, just doing a bunch of bogus authorization requests via RPC can significantly slow down an entire forest of DC's
---Chuck -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, May 28, 2004 2:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] 1000 user limit Well, I'd disagree with you slightly Chuck. You could, in theory, still DoS a DC even with paged searches. For example, submit many very expensive searches at once. That said, this is a general DC perf concern. Even those with good intentions could cause a DC perf issue with adequately large page size as the server churns on providing results to the client. It's not a hot idea more generally. If you need to change this, I mean *really* need to, you could focus the change to the DSA's in a single site, or even just a single DC. But I still don't like it, even for one DC. At least if it is a single DC the impact is more localized though (IE not the whole forest). ~Eric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Oppermann Sent: Friday, May 28, 2004 3:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] 1000 user limit Agreed. People should remember that it's not a "search limit"; it's the maximum number of results in a single page of results returned. Without limits like this, it would be trivial to write an Denial of Service program that queries (objectClass=*) repetitively forcing the server to keep returning huge result sets to the client. ---Chuck -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, May 28, 2004 7:27 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] 1000 user limit Oy! Please do not do this! MaxPageSize is there for a reason...it prevents us from having long-running transactions that can hurt overall DB perf. Rather, use paged searches. We implement paged searches as per RFC spec. If you're using ADSI, you can make it used paged searches with one extra line of code....just tell the search what page size to use (say 1000) and it will page for you under the hood. ~Eric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Friday, May 28, 2004 9:12 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] 1000 user limit I need to increase the search limit on 2003 so that when I do an ldap search I can retrieve everything. Everywhere I look it just tells me to use ntdsutil and change the maxpagesize (I believe that was it), but doesnt give any specific permissions on how to do it. Do you guys have a link on the details? Also, can I limit this ability to a single user? OT-Is there a way to change permissions on a Global Address List in Exchange 2003 so that a certain group cannot see or use it? My reasoning for this would be so that if a virus is executed that spreads via address book, then it doesnt spread to every user in the Exchange Organization. Any other ideas?? Also, is there an archive of this group?? Searchable?? List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
