Recently by migrating form Netware to Windows file servers we have ended up creating a boat load of AD groups. We have now run in to some problems with authenticating and gaining access to resources.
After some initial troubleshooting we have landed on the fact that Domain Admins is a member of too many groups (397 at the most recent count) and the Kerberos Ticket size has gone over 12000 bytes (is 13783) (Event ID 6). I found the following article which seem to describe exactly what has happened and some suggestions as to how to fix it:
The aim is to bump the MaxTokenSize limit to 65535 in the registry. However I can find no discussion about what the impact of this will be? Long term the aim is to rationalize the creep in the number of groups but short term this seems like a fix. Has anyone had any experience with this in the past and are there any caveats we should be aware of before rolling this change out?
We are currently running Server 2008 Domain and Forest Function level with all DCs being 64 bit VMs.
UPDATE: So after a bit more reading on this I can see that the in Server 2012 the default is set to 48000 for the MaxTokenSize. This looks like a sensible option for us to adopt. One thing I cant seem to find info on still is the likely impact of users having larger tokens. There is some suggestion that this will increase the memory usage on IIS servers but does anyone know if this will be the case on DCs and member servers (i.e. 32bit Citrix servers etc)?