3

Do anyone know what is the max length of the DN or RDN at win08r2 or 08.

I search from the Internet some one said.

RDN length * max tree search = DN length  <---- is it true ?

Because I can't verify.

ref. http://technet.microsoft.com/en-us/library/cc977992.aspx

Florent
  • 12,310
  • 10
  • 49
  • 58
Chris Wong
  • 49
  • 1
  • 6

3 Answers3

8

For what it's worth, I just created a tree of nested OUs and Active Directory finally choked at 32768, which is 2^15 or the max value of a signed 16-bit integer.

I was able to then create a user within that OU, giving him a distinguished name that was slightly over 32768.

GUI tools such as Active Directory Users and Computers bomb out way before you reach this limit however. Such feats are only achievable programmatically.

Such a scenario is quite absurd in the real world, but you asked about the theoretical limit.

Ryan Ries
  • 2,381
  • 1
  • 24
  • 33
4

According to http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(v=ws.10).aspx, the maximum length of a DN is 255 characters.

akton
  • 14,148
  • 3
  • 43
  • 47
  • 3
    That's actually max DN length for the purposes of using it in the auth path. If you are just doing other LDAP operations over objects with DNs of this length (ex: search, mod, etc.) they should work a-ok. – Eric Fleischman Sep 04 '12 at 15:23
  • 1
    where do you see that in that article? It does state that it is the max for simple ldap binds, but not if you use a secure ldap bind. –  Feb 15 '18 at 15:56
0

(Couldn't comment)

This would be interesting to have confirmed and that it in that case also is valid for authetication. Quite interesting why, if it works.

http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(v=ws.10).aspx#BKMK_NameLimits

"You can avoid this issue by ensuring that the applications, scripts, and utilities that attempt to bind to your directory use secure LDAP binds."

gojj
  • 23
  • 1
  • 1
  • 3