Active Directory to eDirectory Group synchronization is limited to 5000 members

  • 3616577
  • 30-Nov-2007
  • 15-Jul-2020

Environment

Novell Identity Manager 4.x
Novell Identity Manager Identity Manager 3.5.1
Novell Identity Manager Identity Manager 3.5
Novell Identity Manager Identity Manager 3.0
Novell Identity Manager Driver- Active Directory Driver
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Server

Situation

Active Directory groups that contain more than 5000 members cannot be published/synchronized to eDirectory. They are truncated to 5000 members during the Publisher polling cycle.
Migrating the group into the Identity Vault will temporarily sync up the member lists but any subsequent modification of the group in Active Directory will cause the group to again be truncated to 5000 members in the Identity Vault.

Search:  Users members being lost from large groups

Resolution

Under the Driver Parameters, Advanced Options, set Enable DirSync Incremental Values to Yes.   This allows the driver to query and synchronize only modified users in the group (users being added or removed from the group) instead of the whole group.  

Additional Information

This issue occurs due to a limitation in Microsoft's DirSync API. Active Directory limits the number of values returned in response to DirSync LDAP queries to 5000 values. This is an Active Directory hard limit and is not dependent on the MaxValRange parameter of the Domain Controller's LDAP Policy (see ntdsutil.exe)

For Active Directory whose Forest and domain are operating at or after "Windows Server 2003" domain functional levels, implementation of the DIRSYNC_LDAP_INCREMENTAL_VALUES control resolves this issue. This control was implemented on IDM 3.5 AD Driver Patch 1 - 20070601, now replaced by the IDM 3.5.1 or later downloads.

The Incremental Values server control allows the Active Directory driver to ask for (and receive) only changed values of an attribute such as the member attribute on a group object preventing the need to continually sync the entire member list and hit the 5000 value DirSync limitation.

The following new driver parameter must be added to the access options section of the AD driver configuration.
This parameter is already included in current versions of the AD driver configuration (3.6 and higher)

<definition display-name="Enable DirSync Incremental Values" hide="false"
id="115" name="enable-incremental-values" type="enum">

<description>Ordinarily the publisher will receive all member
values of a group when one or more has changed. This option reports only
the added or deleted member values during the poll interval. Requires 2003
Forest functional mode.</description>

<enum-choice display-name="Yes">yes</enum-choice>

<enum-choice display-name="No">no</enum-choice>

<value>yes</value>

</definition>