RE: [ActiveDir] Effect of change to MaxValRange
MaxValRange - This value controls the number of values that are returned for an attribute of an object, independent of how many attributes that object has, or of how many objects were in the search result. In Windows 2000 this control is hard coded at 1,000. If an attribute has more than the number of values that are specified by the MaxValRange value, you must use value range controls in LDAP to retrieve values that exceed the MaxValRange value. MaxValueRange controls the number of values that are returned on a single attribute on a single object. The repurcussion is that it would be easier to allow a bad or otherwise expensive query have a greater impact on your domain controllers. Generally it's not a good idea to change this safeguard. My advice? I think it should be considered a high risk item. The reason is because if the vendor is unwilling to change their query to be more efficient, then it indicates to me that there is a significant risk of that same vendor taking down my DCs with a bad query. It also opens the door for other vendors to cause that same issue. Force the vendor to fix the query else find another vendor if you can. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 17, 2005 10:50 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Effect of change to MaxValRange All, What are the effects of changing the MaxValRange value? I have a vendor that does not want to change their code for LDAP queries that exceed this value. I wanted to know what repercussions I would experience if I increase it to 4,000. Chris List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Effect of change to MaxValRange
What happens when that isn't enough and they refuse to change again and you have to change your policy once more? How do you know you hit the limit and you aren't dropping entries? The application surely won't know. It will simply think there were only 4000 values and be done with it. If that attribute is for anything important, that could surely spell disaster for something. It could break applications that handle ranging but have a hard coded value for how big they think the ranges are. This happened to several applications I heard about as well as my own adfind because the developers (and I) assumed that the range returned would always be a certain size. Hopefully it shouldn't be many now since we got caught out in the 2K to K3 MaxValRange change from 1000 to 1500 but you never know. How the apps break depends on the apps, adfind would display some of the same values multiple times. One app I heard would fault out because it knew there couldn't be duplicate values and would hit them thinking there was a directory corruption issue. I expect there could be some hit on perf from slight to pretty bad as additional resources would be tied up for every query that hit objects with more than 1500 values. I am not sure, this isn't something I would ever consider doing outside of playtime in the lab. It is just too dangerous in my opinion. I would consider increasing MaxResultSetSize before I increased MaxValRange and I almost certainly wouldn't ever increase MaxResultSetSize either. I would severely question using that vendor because you don't know what other things they aren't doing correctly for Active Directory. Production AD is not the place to play with crappy directory aware apps. Exchange is more than enough. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 17, 2005 10:50 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Effect of change to MaxValRange All, What are the effects of changing the MaxValRange value? I have a vendor that does not want to change their code for LDAP queries that exceed this value. I wanted to know what repercussions I would experience if I increase it to 4,000. Chris List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Effect of change to MaxValRange
Resend... -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, June 17, 2005 11:34 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Effect of change to MaxValRange What happens when that isn't enough and they refuse to change again and you have to change your policy once more? How do you know you hit the limit and you aren't dropping entries? The application surely won't know. It will simply think there were only 4000 values and be done with it. If that attribute is for anything important, that could surely spell disaster for something. It could break applications that handle ranging but have a hard coded value for how big they think the ranges are. This happened to several applications I heard about as well as my own adfind because the developers (and I) assumed that the range returned would always be a certain size. Hopefully it shouldn't be many now since we got caught out in the 2K to K3 MaxValRange change from 1000 to 1500 but you never know. How the apps break depends on the apps, adfind would display some of the same values multiple times. One app I heard would fault out because it knew there couldn't be duplicate values and would hit them thinking there was a directory corruption issue. I expect there could be some hit on perf from slight to pretty bad as additional resources would be tied up for every query that hit objects with more than 1500 values. I am not sure, this isn't something I would ever consider doing outside of playtime in the lab. It is just too dangerous in my opinion. I would consider increasing MaxResultSetSize before I increased MaxValRange and I almost certainly wouldn't ever increase MaxResultSetSize either. I would severely question using that vendor because you don't know what other things they aren't doing correctly for Active Directory. Production AD is not the place to play with crappy directory aware apps. Exchange is more than enough. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 17, 2005 10:50 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Effect of change to MaxValRange All, What are the effects of changing the MaxValRange value? I have a vendor that does not want to change their code for LDAP queries that exceed this value. I wanted to know what repercussions I would experience if I increase it to 4,000. Chris List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Effect of change to MaxValRange
Thanks for the feedback. I thought some of the experts would be able to better articulate the consequences of changing that value. I read about it in Eric's Blog and based on the information I had come up with this response to changing the value. Performance issues include increased processor time to run the query and increased network bandwidth to send unnecessary query results. If the answer to the query is found in the first 1500 results there is no need to send another 2500 records. This setting affects all applications, so if multiple queries are run with an unspecified range it will return all of the results to every query and as more applications begin to use Active Directory for LDAP queries we will feel the performance hit. I think I was basically right. Thanks for helping me strengthen my point. joe [EMAIL PROTECTED] .net To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Effect of change to 06/17/2005 11:33 MaxValRange AM Please respond to [EMAIL PROTECTED] tivedir.org What happens when that isn't enough and they refuse to change again and you have to change your policy once more? How do you know you hit the limit and you aren't dropping entries? The application surely won't know. It will simply think there were only 4000 values and be done with it. If that attribute is for anything important, that could surely spell disaster for something. It could break applications that handle ranging but have a hard coded value for how big they think the ranges are. This happened to several applications I heard about as well as my own adfind because the developers (and I) assumed that the range returned would always be a certain size. Hopefully it shouldn't be many now since we got caught out in the 2K to K3 MaxValRange change from 1000 to 1500 but you never know. How the apps break depends on the apps, adfind would display some of the same values multiple times. One app I heard would fault out because it knew there couldn't be duplicate values and would hit them thinking there was a directory corruption issue. I expect there could be some hit on perf from slight to pretty bad as additional resources would be tied up for every query that hit objects with more than 1500 values. I am not sure, this isn't something I would ever consider doing outside of playtime in the lab. It is just too dangerous in my opinion. I would consider increasing MaxResultSetSize before I increased MaxValRange and I almost certainly wouldn't ever increase MaxResultSetSize either. I would severely question using that vendor because you don't know what other things they aren't doing correctly for Active Directory. Production AD is not the place to play with crappy directory aware apps. Exchange is more than enough. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 17, 2005 10:50 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Effect of change to MaxValRange All, What are the effects of changing the MaxValRange value? I have a vendor that does not want to change their code for LDAP queries that exceed this value. I wanted to know what repercussions I would experience if I increase it to 4,000. Chris List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Effect of change to MaxValRange
I also posted to this dl once before on MaxPageSize. The same argument could be made for MaxValRange as I made for MaxPageSize. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 17, 2005 11:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Effect of change to MaxValRange Thanks for the feedback. I thought some of the experts would be able to better articulate the consequences of changing that value. I read about it in Eric's Blog and based on the information I had come up with this response to changing the value. Performance issues include increased processor time to run the query and increased network bandwidth to send unnecessary query results. If the answer to the query is found in the first 1500 results there is no need to send another 2500 records. This setting affects all applications, so if multiple queries are run with an unspecified range it will return all of the results to every query and as more applications begin to use Active Directory for LDAP queries we will feel the performance hit. I think I was basically right. Thanks for helping me strengthen my point. joe [EMAIL PROTECTED] .net To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Effect of change to 06/17/2005 11:33 MaxValRange AM Please respond to [EMAIL PROTECTED] tivedir.org What happens when that isn't enough and they refuse to change again and you have to change your policy once more? How do you know you hit the limit and you aren't dropping entries? The application surely won't know. It will simply think there were only 4000 values and be done with it. If that attribute is for anything important, that could surely spell disaster for something. It could break applications that handle ranging but have a hard coded value for how big they think the ranges are. This happened to several applications I heard about as well as my own adfind because the developers (and I) assumed that the range returned would always be a certain size. Hopefully it shouldn't be many now since we got caught out in the 2K to K3 MaxValRange change from 1000 to 1500 but you never know. How the apps break depends on the apps, adfind would display some of the same values multiple times. One app I heard would fault out because it knew there couldn't be duplicate values and would hit them thinking there was a directory corruption issue. I expect there could be some hit on perf from slight to pretty bad as additional resources would be tied up for every query that hit objects with more than 1500 values. I am not sure, this isn't something I would ever consider doing outside of playtime in the lab. It is just too dangerous in my opinion. I would consider increasing MaxResultSetSize before I increased MaxValRange and I almost certainly wouldn't ever increase MaxResultSetSize either. I would severely question using that vendor because you don't know what other things they aren't doing correctly for Active Directory. Production AD is not the place to play with crappy directory aware apps. Exchange is more than enough. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 17, 2005 10:50 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Effect of change to MaxValRange All, What are the effects of changing the MaxValRange value? I have a vendor that does not want to change their code for LDAP queries that exceed this value. I wanted to know what repercussions I would experience if I increase it to 4,000. Chris List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/