Active Directory Maximum Limits

I ran across a document from Microsoft that lists maximum limits for Active Directory. This document pertains to Windows 2000 Server and Windows Server 2003. There is no reference to Windows Server 2008 in the document. However, the majority of the limits also apply to Windows Server 2008.

Below is a summary of the maximums. The full details, including rationale, can be found here: http://technet.microsoft.com/en-us/library/cc756101.aspx.

  • Each domain controller in an Active Directory forest can create a little bit less than 2.15 billion objects during its lifetime.
  • There is a limit of approximately 1 billion security identifiers (SIDs) over the life of a domain.
  • Security principals can be members of a maximum of approximately 1,015 groups.
  • Fully qualified domain names (FQDNs) in Active Directory cannot exceed 64 characters in total length, including hyphens and periods (.).
  • The maximum length for the name of an organizational unit (OU) is 64 characters.
  • There is a limit of 999 Group Policy objects (GPOs) that you can apply to a user account or computer account.
  • Kerberos clients can traverse a maximum of 10 trust links to locate a requested resource in another domain.
  • When you write scripts or applications that perform Lightweight Directory Access Protocol (LDAP) transactions, the recommended limit is to perform no more than 5,000 operations per LDAP transaction.
  • For Windows 2000 Server, the recommended maximum number of domains in a forest is 800.
  • For Windows Server 2003, the recommended maximum number of domains when the forest functional level is set to Windows Server 2003 (also known as forest functional level 2) is 1,200.
  • Because the File Replication Service (FRS) is used to replicate SYSVOL in a Windows Server 2003 domain, a limit of 1,200 domain controllers per domain is recommended to ensure reliable recovery of SYSVOL.

Leave a Reply

Your email address will not be published. Required fields are marked *