Connector Guides › Connectors Guide › Connecting to Endpoints › Microsoft Active Directory Services Connector › Connector-Specific Features › Incomplete or Truncated Search Results When Searching for or Importing more than 20000 Users in CA IdentityMinder or RCM

Incomplete or Truncated Search Results When Searching for or Importing more than 20000 Users in CA IdentityMinder or RCM

Symptom:

When I search for more than 20000 users in CA IdentityMinder, or try to import more than 20000 users into CA Role and Compliance Manager, the search results only display a maximum of 20000 users. I am using Active Directory 2008 r2 as a data store.

Solution:

Microsoft has imposed hard-coded LDAP query limits of 20000 for MaxPageSize and 5,000 for MaxValRange. As a result, the maximum number of users an LDAP query can return is 20000, and the maximum number of attributes a query can return is 5,000.

Note: For more information, see Windows Server 2008 R2 or Windows Server 2008 domain controller returns only 5000 attributes in a LDAP response at:
http://support.microsoft.com/kb/2009267

To resolve the problem, do the following:

1. If you have Active Directory 2003, 2008, or 2008 r2, set the Active Directory max page size to a high value depending on the number of users you have.

   Note: For more information on setting the max page size, see:

   http://support.microsoft.com/kb/315071

2. If you have Active Directory 2008 r2 modify the dSHeuristic attribute in Active Directory.

   Note: For more information about modifying the dSHeuristic attribute in Active Directory, see:

   http://blogs.technet.com/b/qzaidi/archive/2010/09/02/override-the-hardcoded-ldap-query-limits-introduced-in-windows-server-2008-and-windows-server-2008-r2.aspx