2

I fixed an issue yesterday where a 2008 R2 machine did not want to communicate with the DC. I discovered warnings in the event log relating to the kerberos buffer, so I increased the size in the registry and rebooted the server, voila, issue resolved. The issue was, I was unable to open ADUC from the 2008 R2 machine (which is NOT a DC) and got access denied messages.

However, now I am thinking for the future. I know the buffer size was increased to 48k for 2012, but how does that translate in regards to the max groups users can be a member of?

I would like to plan ahead and not have this issue happen again, so this is why I ask.

In my AD, I have a LOT of groups, and there are many group nestings as well. I have read something about using LDAP so you don't kill your AD with huge queries. Can someone please elaborate on this as well?

Michael
  • 51
  • 3
  • 8

2 Answers2

1

Active Directory: A user cannot be in more than 1015 groups.

http://markparris.co.uk/category/microsoft/active-directory/troubleshooting/

In any Microsoft Active Directory forest, a user can only a member of 1024 groups but after allowing for up to 9 well known SIDS this number is actually 1015. See KB http://support.microsoft.com/kb/328889

markparris
  • 11
  • 1
0

Actually the max value for MaxTokenSize is 65,535 and has been for many years. It is the default value that was increased to 48k in Windows Server 2012.

Create a registry policy preference in your default domain policy and set it to 65535. 

Key:  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters  
Value: MaxTokenSize  
Value Type: REG_DWORD  
Value Data: 65535 (decimal) 0xFFFF (hex)

http://blogs.technet.com/b/shanecothran/archive/2010/07/16/maxtokensize-and-kerberos-token-bloat.aspx

Estimating token size:

  • 1400 bytes overhead: (varies depending on dns domain name, client name, security package)
  • 8 bytes for each well-known builtin securityidentifier (Everyone, Users, Network, etc)
  • 8 bytes for each global security group, universal security group in their domain

  • 40 bytes for each domain local group, sidHistory entry, userSID, user's primary group, universal security group outside their domain

  • Multiply that * 2 (double) the token size if the account is configured for "trusted for delegation".

Starting with Windows Server 2012, the domain controller can perform SID compression, which will further reduce the size of the token. This also makes it more difficult to calculate.

http://blogs.technet.com/b/askds/archive/2012/09/12/maxtokensize-and-windows-8-and-windows-server-2012.aspx

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • Greg, I know *how* the process works to do that already. I am just trying to figure out what is the max number of groups, now that the default value has been increased. Is there some calculation to determine the maximum number of groups you can have before you run into this issue again, potentially on 2012 R2 servers? – Michael Oct 27 '15 at 17:07
  • There isn't a straightforward correlation between group count and token size. I added information about how it is calculated to the answer. – Greg Askew Oct 27 '15 at 17:52