Object limits in Exchange 2000/2003
Will this affect you?
Probably not unless you're in a huge environment, but conversations with my customer on this matter has led me to the conclusion that there are multiple points of confusion on the topic. An attempt to find detailed documentation frustrated me. It was there. I had seen it. But I couldn't find it now.
What are the limits in an Exchange organization?
- 1000 Exchange servers
- 1000 Administrative Groups
- 100 domains
- 1000 connectors in a Routing Group
Why is there a limit?
Active Directory, by default, is confugured with a maximum page size of 1000 for any LDAP request. So, in a default configuration, if we have 1001 objects that would be returned by the LDAP query, the query will return no results. We can potentially encounter performance issues prior to hitting the 1000 object limit (depending on your environment's design), but the hard limit is 1000.
But wait, I can modify the MaxPageSize value for LDAP using NTDSUtil!
Yes. Yes, you can. But there are still problems. There are possible performance issues with other LDAP applications that might be running against your domain controllers. But the bottom line is that there are Exchange-specific issues with making the modification. Microsoft doesn't recommend or support making the change for good reasons. It will break some Exchange functions.
Well, if there's nothing that I can do about it, then at least help me understand the limit...
Now, that's what I'm talking about. This is where some of the confusion tends to set in. We'll work backwards and hit the easy ones first...
- 1000 connectors in a Routing Group
Two things to remember here.
First, if I have a Routing Group Connector (or any kind of connector) between RoutingGroup1 and RoutingGroup2, then it actually gets counted twice. Once for each direction.
Second, third party connectors count as well. So we're not just talking about your basic mail flow connectors. We're talking about fax or any other kind of connector too.
Fact is that since this is 1000 per Routing Group, I don't see many people hitting this problem. Moving on....
- 100 domains
I really wanted to just say this is because "I said so" or some other flippant answer. Unfortunately, I'm not the one who said so... the developers did. When I first thought about it, it did seem kinda arbitrary since we're (obviously) not capping it at 100 because of the MaxPageSize on the LDAP query. Actually, the recommended limit of 100 was imposed in E2k for performance reasons. The DSAccess component (prior to E2k3 SP1) cannot cache objects that are more than 32kb. When an Active Directory exceeds 100 domains, the associated ACLs can cause a directory object to easily swell over the hard limit of 32kb. E2k3 SP1 modifies DSAccess so the objects over 32kb are chained together in multiple chunks. Although this functionally removes the hard limit of 32kb, we can still run into performance issues if the size of directory objects get too large, so 100 domains is still a recommended limit for an Active Directory containing Exchange.
- 1000 Administrative Groups
Same reasoning as the 1000 connector limit here -- MaxPageSize in LDAP queries.
- 1000 Exchange servers
This is the good one. What, precisely, counts as a server? What if I cluster my backends? What if I use NLB on the frontends? How do the roles of the server impact this? It's pretty easy when you think about why the limitation is in place and then work backwards. The 'why?' at this point should be obvious -- MaxPageSize in LDAP queries. But what are we querying? Well, we know that the Exchange Organization is bound by the forest and not the domain. This effectively prohibits the querying of the Domain partition of Active Directory for the information. In fact, we are querying the Configuration partition (since it is shared by all domains in a forest) for objects with an objectCategory of msExchangeServer. Now with a standalone Exchange server, it's pretty easy to see that the server name will match the cn of the object returned. So if I have a (non-clustered) server named SERVER1, after I install Exchange, the server object in the ESM will show SERVER1. But what about those nasty clusters? I have 2 nodes of my cluster and the nodes are named CLUSTER-NODE1 and CLUSTER-NODE2. I install Exchange on both nodes (following the first part of Q328875 for Exchange 2000 or Q895981 for Exchange 2003), and then I look in the ESM. What do I see for this cluster? NOTHING! Why? Because the Network Name resource for the Exchange Virtual Server has not yet been created. So I create the Network Name resource EXCH-CLUSTER (along with the needed prereqs) and continue to follow the procedure referencing in the articles. After I bring the Exchange Virtual Server (EVS) resource group completely online, I check in the ESM and see that it now references the Exchange server named EXCH-CLUSTER. This means that with an A/P cluster, there will be one EVS. But on an A/A cluster (which is wrong for so many reasons), you will have two EVSs. And it is truly the number of EVSs that matters and not the number of 'active nodes' in the cluster -- although they are usually equal. If I configured an A/A cluster (trust me, I never would), I could fail one EVS over to the other node. At that point, one node would be passive (not owning any Exchange resources at the moment), however, we still have two EVSs. So technically, the number of active nodes does not necessarily reflect the number of EVSs. NLB? Doesn't matter. Shared IP address doesn't impact server count. Role of the server? Doesn't matter. An HTTP front-end counts towards the 1000 server limit as much as a back-end.
Thx to Zach McNelis and Jeff Beckham for review.
Thx to Ross Smith IV for helping me replace the "I said so" with useful information about the 100 domain limit.
