Re: [ActiveDir] Kerberos MaxTokenSize and too many groups issues
Good news is, if you look around on the Exchange team blog site, you'll find articles about Exchange 2007 on 64-bit Windows (it's not going to support a 32-bit OS) and basically the paged pool memory issue goes away completely (lots more room for that stuff when we're talking about 64-bit addressing). Only problem with that is that you have to make sure that your spam filtering and antivirus software will support it. Once you have your antivirus and spam support for Exchange 2007, I honestly can't think of a good reason to stick with Exchange 2000 or 2003 any more. On 7/12/06, Freddy HARTONO <[EMAIL PROTECTED]> wrote: Thanks guys, really helpful didnt know how bad things can be with those huge groups...like poolpaged memory issues Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [ActiveDir] Kerberos MaxTokenSize and too many groups issues
Thanks guys, really helpful didnt know how bad things can be with those huge groups...like poolpaged memory issues Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: Wednesday, July 12, 2006 4:58 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Kerberos MaxTokenSize and too many groups issues Just noticed that we both referred to the same token limitation article. It's easy to find when you know what to look for. If you do a search in Google for "Token limitation" it's the first item that pops up.
Re: [ActiveDir] Kerberos MaxTokenSize and too many groups issues
Just noticed that we both referred to the same token limitation article. It's easy to find when you know what to look for. If you do a search in Google for "Token limitation" it's the first item that pops up.
Re: [ActiveDir] Kerberos MaxTokenSize and too many groups issues
Not sure where you're at with the number of groups per user.I like to think of the initial setting for token size as a way of saying "You really need to get your security model under control or fix this user's group memberships". At 12k, you shouldn't really be pushing the limit until you're around 250 groups for a user. Bumping up to a larger token size is fine to fix your short-term issue, but ends up with users being members of potentially excessive (and possibly unnecessary) groups. It's one of those squeaky wheel things, where if it don't squeak, nobody's going to think about it. I'd recommend that in most situations you shouldn't modify the setting, simply so that your group memberships don't get out of hand, but if you find it's necessary, you should modify it in small increments (16k, then 20k), every 4k should allow you to fit into another 80 groups or so. Another good reason to limit the amount that you let your tokens grow is that Exchange on 32-bit OS will use several tokens per user and there is only around 150MB available (give or take) available in Paged Pool memory for tokens. Once you break that limit, you end up with your servers crashing. If you are running 12k tokens, you're cutting your maximum user count per Exchange server to a third of what you could fit on the server at 4k tokens (not counting other issues that would limit the Exchange server). Toss in other applications that leverage Exchange (instant messaging, some voicemail systems, blackberry type services, etc...) and your users are using 6-10 tokens and they're 12k per user... potentially cutting your user count on an Exchange server down to 1500-2000 per server before things start getting ugly. Keep your token sizes (and security group memberships) under control and you should be able to keep the Exchange user count per server up closer to 4k+. Also, there is an absolute number of SIDs that a user token can handle before the userID will break (which isn't pretty), regardless of whether they're security groups or distribution list groups.Read the following: (token SID limitation) http://www.microsoft.com/downloads/details.aspx?FamilyID=22dd9251-0781-42e6-9346-89d577a3e74a&DisplayLang=en (Exchange issues with token size and paged pool memory)http://support.microsoft.com/kb/912376(good article about Exchange related token information) http://msexchangeteam.com/archive/2005/12/07/415733.aspxMattOn 7/11/06, Paul Williams <[EMAIL PROTECTED]> wrote: You might also want to review this interesting white paper: -- http://www.microsoft.com/downloads/details.aspx?FamilyID=22dd9251-0781-42e6-9346-89d577a3e74a&DisplayLang=en (that took me ages to find so please read it ;-) --Paul - Original Message - From: Kurt Falde To: ActiveDir@mail.activedir.org Sent: Tuesday, July 11, 2006 2:24 AM Subject: RE: [ActiveDir] Kerberos MaxTokenSize and too many groups issues Tokensz http://www.microsoft.com/downloads/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265c&DisplayLang=en Kurt Falde From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Freddy HARTONOSent: Monday, July 10, 2006 9:16 PMTo: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos MaxTokenSize and too many groups issues Hi all Have a badly designed applications which is tapping on AD memberships for its grouping rights and user memberships to define their roles and permissions and today found out that one of the user is unable to access the application, but standard logon access to exchange mailbox etc are working fine. Digging further im seeing quite a few errors on eventlog (details below) - then did a registry key of MaxTokenSize as below and everything seems to works fine. Also prior to this, running gpresult on the machine doesn't give any result at all. Question - I was under the assumptions that this applies to Win 2000 only, not xp or 2003, but apparently this does? Also if I remembered correctly there's a command or tool to calculate the tokensize of a user anybody has that tool again pls? MaxTokenSize regkey http://support.microsoft.com/?id=263693 Event Type: Error Event Source: Userenv Event Category: None Event ID: 1000 Date: 7/7/2006 Time: 5:07:09 AM User: NT AUTHORITY\SYSTEM Computer: XX Description: Windows cannot determine the user or computer name. Return value (14). Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
Re: [ActiveDir] Kerberos MaxTokenSize and too many groups issues
Title: Kerberos MaxTokenSize and too many groups issues You might also want to review this interesting white paper: -- http://www.microsoft.com/downloads/details.aspx?FamilyID=22dd9251-0781-42e6-9346-89d577a3e74a&DisplayLang=en (that took me ages to find so please read it ;-) --Paul - Original Message - From: Kurt Falde To: ActiveDir@mail.activedir.org Sent: Tuesday, July 11, 2006 2:24 AM Subject: RE: [ActiveDir] Kerberos MaxTokenSize and too many groups issues Tokensz http://www.microsoft.com/downloads/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265c&DisplayLang=en Kurt Falde From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONOSent: Monday, July 10, 2006 9:16 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Kerberos MaxTokenSize and too many groups issues Hi all Have a badly designed applications which is tapping on AD memberships for its grouping rights and user memberships to define their roles and permissions and today found out that one of the user is unable to access the application, but standard logon access to exchange mailbox etc are working fine. Digging further im seeing quite a few errors on eventlog (details below) - then did a registry key of MaxTokenSize as below and everything seems to works fine. Also prior to this, running gpresult on the machine doesnt give any result at all. Question - I was under the assumptions that this applies to Win 2000 only, not xp or 2003, but apparently this does? Also if I remembered correctly there's a command or tool to calculate the tokensize of a user anybody has that tool again pls? MaxTokenSize regkey http://support.microsoft.com/?id=263693 Event Type: Error Event Source: Userenv Event Category: None Event ID: 1000 Date: 7/7/2006 Time: 5:07:09 AM User: NT AUTHORITY\SYSTEM Computer: XX Description: Windows cannot determine the user or computer name. Return value (14). Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [ActiveDir] Kerberos MaxTokenSize and too many groups issues
Title: Kerberos MaxTokenSize and too many groups issues Tokensz http://www.microsoft.com/downloads/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265c&DisplayLang=en Kurt Falde From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Monday, July 10, 2006 9:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos MaxTokenSize and too many groups issues Hi all Have a badly designed applications which is tapping on AD memberships for its grouping rights and user memberships to define their roles and permissions and today found out that one of the user is unable to access the application, but standard logon access to exchange mailbox etc are working fine. Digging further im seeing quite a few errors on eventlog (details below) - then did a registry key of MaxTokenSize as below and everything seems to works fine. Also prior to this, running gpresult on the machine doesn’t give any result at all. Question - I was under the assumptions that this applies to Win 2000 only, not xp or 2003, but apparently this does? Also if I remembered correctly there's a command or tool to calculate the tokensize of a user anybody has that tool again pls? MaxTokenSize regkey http://support.microsoft.com/?id=263693 Event Type: Error Event Source: Userenv Event Category: None Event ID: 1000 Date: 7/7/2006 Time: 5:07:09 AM User: NT AUTHORITY\SYSTEM Computer: XX Description: Windows cannot determine the user or computer name. Return value (14). Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
