Active Directory can scale to the largest of infrastructures but it does have some limitations, some limits could take a long time to reach other and other limitations could be easily reached without realising.

This is what I have discovered so far.

Limitations.

Fully Qualified Domain Name (FQDN).

The Fully Qualified Domain Name (FQDN) of an object cannot exceed 64 characters.

Group Memberships.

Users, Groups and Computer accounts can be classified as Security Principals and as such Security Principals can be a member of approximately 1015 Groups. This is to do with access token size limitations.

Maximum Number of Users in a Group.

In Windows 2000 the recommended maximum number of members in a group was 5000. Starting with Windows Server 2003 FFL , this limited has been removed, due to Linked Value Replication (LVR). There is now no set limit for group memberships.

Maximum Number of Page Files.

16 whether the architecture is x86, x64, IA-64

Active Directory Objects.

All Domain Controllers can create nearly 2.15 billion (2 147 483 393) objects. The objects created can be originating locally or created via replication.

Security Identifiers (SIDS).

There is a limit of approximately 1 billion (1 073 741 823) Security Identifiers.

File Name Length

The maximum length of a file name including the path must not exceed 260 characters.

NetBIOS.

Computer and Domain names are limited to 15 characters.

Domain Name System (DNS).

DNS host names are limited to 24 characters.

Organisation Units (OU’s).

OU Names are limited to 64 characters.

Group Policy Objects (GPO’s).

The maximum number of GPO’s that can be applied to a user or computer account in total is 999.

Display Names

Display Names are limited to 256 characters in the schema.

Pre-Windows 2000 user logon name (SAM-Account-Name).

The SAM-Account-Name is limited to 256 characters in the schema – but hard coded to 20 characters to ensure backward compatibility.

Common Names

Common Names are limited to 64 characters in the schema.

Trust Limitations

Kerberos clients can traverse a maximum of 10 trust links to locate a requested resource in another domain.

LDAP Simple Bind operations

Limit the Distinguised Name (DN) of an object to 255 characters or less, else the bind operation will fail.

Recommended Maximum Number of Domains in a forest.

Windows 2000 = 800

Windows Server 2003 (at FFL 2) = 1200

Recommended Maximum Number of Domain Controllers in a Domain

Windows 2003 = 1200 (if you host Active Directory Integrated DNS and plan to exceed 800 DC’s – see KB267855)

Distributed File System – Namespaces(DFS-N) – Number of links per DFS namespace.

Windows Server 2003

Domain based DFS – 5000 Links
Stand alone DFS – 50000 Links

Windows Server 2008
Not Published/Not Tested

Posted by markparris

Microsoft MVP - Enterprise mobility.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s