Active Directory limits

I've been doing a bit of research around the theoretical limits in an AD environment as part of a project I'm working on. It's unlikely that many people will ever actually hit these limits (if you do, you probably need to take a fundamental look at your infrastructure architecture and how you support it!) but I thought I'd post them anyhow - they may be useful to someone somewhere 🙂

- maximum number of GPOs that can apply to a user/computer: 999
- maximum number of DNS servers in an AD-integrated zone (without manually adding the details): 850 (Windows 2000), 1300 (Windows 2003)
- maximum number of supported DCs in a given domain: 1200
- maximum number of members of a group: 5000 (Windows 2000), unlimited in Windows 2003
- maximum number of DHCP servers in a forest: 850 (Windows 2000 SP1 or RTM), unlimited (Windows 2000 SP2 or later and Windows 2003)
- maximum number of UPN suffixes that can be set through the UI: 850 (you can set more if you need to via ADSI scripts)
- maximum number of objects that can be created over the lifetime of a given DIT (i.e. the AD database on a given DC): 2 billion


Comments (6)

  1. mcsieinf says:

    The difference between hard and soft is irrelevant if the limits are those that are "supported". There is no difference between something the product will not do, and which it will potentially do if either scenario is not supported by Microsoft.

    We will work on identifying the sources for each in another post – that’s a great idea.

  2. mcsieinf says:

    In terms of the "soft" limit of 5k members per group – this is in terms of the impact due to the replication mechanism in w2k versus w2k3. In w2k the limit was indeed soft, but exceeding it could lead to undesirable replication overhead. With the change in replication in w2k3, this soft limit was no longer an issue because only the deltas would get replicated as opposed to the entire group membership.

    Of course, if you add a large number of members to a group at once you will get replication overhead regardless as you say – however the number of real world scenarios where this would happen is very small – apart from perhaps a migration context which in itself should be treated as a special case from an operational perspective.

  3. Anonymous says:

    Daca sunteti curiosi care sunt limitele teoretice ale resurselor intr-un mediu Active Directory puteti…

  4. Anonymous says:

    this is a good list, but you may want to differentiate between "hard" and "soft" limits. For example, even in Windows 2000 the maximum number of group members is not set to a hard limit of 5000 (you can have plenty more – I’ve seen group with 24.000 members in Win2k), however once you go beyond the recommended limit you risk replication issues in AD. That’s why this "soft" limit of 5000 members to a group basically still exists in Win2003 – it’s just not regarding the total number of members in a group, but you should also not add or remove more than 5000 members at once in Win2003 to avoid replication issues.

    Along this line, it would be great if you could add the different sources for your limits (which is where we would likely find more inforamtion about the reasoning for these restrictions).

  5. bpuhl says:

    For more info on AD limit’s, check out Eric’s DIT blog at:

Skip to main content