Back

Active Directory Limits: Maximum Objects, etc

Explore Active Directory's maximum limits for objects, trusts, and domain controllers. Learn how to scale your AD infrastructure efficiently.

3 min read
Published on Jul 22, 2009
Active Directory Limits: Maximum Objects, etc

Curious to the limits of Active Directory?  This shows the maximum specifications of active directory.

Maximum Number of Objects

Each domain controller in an Active Directory forest can create a little bit less than 2.15 billion objects during its lifetime.

Maximum Number of Security Identifiers

There is a limit of approximately 1 billion security identifiers (SIDs) over the life of a domain. This limit is due to the size of the global relative identifier (RID) pool of 30 bits that makes each SID (that is assigned to user, group, and computer accounts) in a domain unique. The actual limit is 230 or 1,073,741,823 RIDs.

Group Memberships for Security Principals

Security principals (that is, user, group, and computer accounts) can be members of a maximum of approximately 1,015 groups.

FQDN Length Limitations

Fully qualified domain names (FQDNs) in Active Directory cannot exceed 64 characters in total length, including hyphens and periods (.).

File Name Length Limitations

The file system that Windows operating systems uses limits file name lengths (including the path to the file name) to 260 characters.

Organizational Unit Name Length

The maximum length for the name of an organizational unit (OU) is 64 characters.

Maximum Number of Group Policy Objects Applied

There is a limit of 999 Group Policy objects (GPOs) that you can apply to a user account or computer account.

Trust Limitations

Trust limitations arise from the number of trusted domain objects (TDOs), the length of trust paths, and the ability of clients to discover available trusts. Limitations that apply include the following:

  • Kerberos clients can traverse a maximum of 10 trust links to locate a requested resource in another domain. If the trust path between the domains exceeds this limit, the attempt to access the domain fails.
  • When a client searches out a trust path, the search is limited to the trusts that are established directly with a domain and the trusts that are transitive within a forest.
  • Previous testing has shown that the time to complete operations related to TDOs, such as authentication across domains, deteriorates noticeably if the Active Directory implementation in an organization contains more than 2,400 TDOs.

Maximum Number of Accounts per LDAP Transaction

When you write scripts or applications that perform Lightweight Directory Access Protocol (LDAP) transactions, the recommended limit is to perform no more than 5,000 operations per LDAP transaction.

Recommended Maximum Number of Users in a Group

For Windows 2000 Active Directory environments, the recommended maximum number of members in a group is 5,000. This recommendation is based on the number of concurrent atomic changes that can be committed in a single database transaction.

So far, testing in this area has yet to reveal any new recommended limits to the number of members in a group or any other linked multi-valued attribute. Production environments have been reported to exceed 4 million members, and Microsoft scalability testing reached 500 million members.

Recommended Maximum Number of Domains in a Forest

For Windows 2000 Server, the recommended maximum number of domains in a forest is 800. For Windows Server 2003, the recommended maximum number of domains when the forest functional level is set to Windows Server 2003 (also known as forest functional level 2) is 1,200.

Recommended Maximum Number of Domain Controllers in a Domain

Because the File Replication Service (FRS) is used to replicate SYSVOL in a Windows Server 2003 domain, we recommend a limit of 1,200 domain controllers per domain to ensure reliable recovery of SYSVOL.

Recommended Maximum Kerberos Settings

The maximum recommended size for a Kerberos ticket is 65,535 bytes.

Posted from: Fabricem blog’s (aka Iceman) : Active Directory Maximum Limits - Scalability

Please check us out for your Managed Service or Cloud Consulting needs.

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

Standard Form SF-XX: A Contractor’s Guide to FAR Compliance

Standard Form SF-XX in FAR Contracts: What Contractors Need to Know

Understand the role of Standard Form SF-XX in FAR contracts. Learn how to complete it, key compliance requirements, and why it matters for government contractors.

Aug 25, 2025
6 min read
Why Hire an MSP to Manage CUI Compliance

Why Hire an MSP to Manage CUI Compliance?

Discover how hiring an MSP to manage CUI compliance streamlines security, meets DFARS and NIST 800-171 requirements, and reduces internal IT burden.

Aug 23, 2025
9 min read
What is FAR CUI and How Does It Affect Contractors?

The FAR CUI: What It Means for Contractors and How to Stay Compliant

Learn about the FAR CUI, its security requirements, and how it impacts federal contractors. Understand the key compliance measures and steps to align with Federal Acquisition Regulation (FAR) guidelines.

Aug 22, 2025
8 min read
What Is Cloud Backup for Microsoft 365 and Azure?

What Is Cloud Backup for Microsoft 365 and Azure?

Learn what cloud backup means for Microsoft 365 and Azure, why native retention isn't enough, and how secure backups protect your critical data.

Aug 21, 2025
6 min read
What Are the Requirements for FAR CUI Compliance?

Understanding the Requirements for FAR CUI Compliance

Learn the key requirements for FAR CUI compliance, including security controls, NIST 800-171 guidelines, and who needs to comply with the Federal Acquisition Regulation (FAR).

Aug 20, 2025
6 min read
GCC High Migration Project Timeline & Phases

Timeline and Phases of a GCC High Migration Project

Discover the timeline and core phases of a successful GCC High migration project—from planning and validation to execution and post-migration governance.

Aug 15, 2025
7 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation