Windows Server 2008

Active Directory Limits

Ever wondered what the limits of Active Directory are?

  • Each domain controller in an Active Directory forest can create a little bit less than 2.15 billion objects during its lifetime.
  • There is a limit of approximately 1 billion security identifiers (SIDs) over the life of a domain.
  • Security principals (that is, user, group, and computer accounts) can be members of a maximum of approximately 1,015 groups.
  • Fully qualified domain names (FQDNs) in Active Directory cannot exceed 64 characters in total length, including hyphens and periods (.)
  • The file system that Windows operating systems uses limits file name lengths (including the path to the file name) to 260 characters.
  • The maximum length for the name of an organizational unit (OU) is 64 characters.
  • There is a limit of 999 Group Policy objects (GPOs) that you can apply to a user account or computer account.
  • When you write scripts or applications that perform Lightweight Directory Access Protocol (LDAP) transactions, the recommended limit is to perform no more than 5,000 operations per LDAP transaction.
  • For Windows 2000 Server, the recommended maximum number of domains in a forest is 800. For Windows Server 2003, the recommended maximum number of domains when the forest functional level is set to Windows Server 2003 (also known as forest functional level 2) is 1,200.
  • Because the File Replication Service (FRS) is used to replicate SYSVOL in a Windows Server 2003 domain, we recommend a limit of 1,200 domain controllers per domain to ensure reliable recovery of SYSVOL.

The above information was taken from

Be Sociable, Share!

One Commnet on “Active Directory Limits

Comments are closed.