none
FIM R2 - best practice handling large AD groups RRS feed

  • Question

  • On attempting to create large security group (with 35k users) in AD, i get "dropped connection from the domain controller.

    The MS AD guy we have attached here tells me that there are some limitations on LDAP and even some known issues with writing 5k+ objects to a DC.

    Are there any "best practices" for writing large groups to AD?

    /Nicolai

    Monday, February 10, 2014 12:20 PM

Answers

  • Well, that is a large group indeed, and I would say most organizations use nested groups instead of adding these behemoths to the directory as they are quite difficult to work with.  If it's a one-time thing, you could create it manually in bite-sized chunks with LDIF or the like, so that FIM only has to do small delta changes afterwards.

    The 5,000 member limit mostly applies to groups prior to the change to linked value storage.  What is your forest functional level, and have you verified that this group is using linked values?


    Steve Kradel, Zetetic LLC

    • Marked as answer by Niksen Tuesday, February 11, 2014 4:13 PM
    Monday, February 10, 2014 7:54 PM

All replies

  • Well, that is a large group indeed, and I would say most organizations use nested groups instead of adding these behemoths to the directory as they are quite difficult to work with.  If it's a one-time thing, you could create it manually in bite-sized chunks with LDIF or the like, so that FIM only has to do small delta changes afterwards.

    The 5,000 member limit mostly applies to groups prior to the change to linked value storage.  What is your forest functional level, and have you verified that this group is using linked values?


    Steve Kradel, Zetetic LLC

    • Marked as answer by Niksen Tuesday, February 11, 2014 4:13 PM
    Monday, February 10, 2014 7:54 PM
  • Most of the time you can just increase the timeout of the export. Though unfortunately, to get the initial sync out of the way, I've had to sometimes manually sync the users using PowerShell to get the ComputedMember value of the group from the FIM service then put each member into the directory manually, typically in smaller batches of 100-500 users.
    Monday, February 10, 2014 8:02 PM
  • I was told this was more an issue with the way a DC handles LDAP queries, then the groups themselves. yes they use linked values.

    I just find it a bit odd that product group wouldnt have thought of handling such a scenarium.

    ok, so prescripting it is. Thanks. even i will attempt to to increase timeout as well, even it is already at 600 seconds on the MA.

    Tuesday, February 11, 2014 3:57 PM