Merge pull request #225601 from b-hchen/patch-71

prmerger-automator[bot] · web-flow · commit e9b0ad78d52c · 2023-01-30T20:10:06.000Z
Add note re. `MaxPageSize` attribute defaulting to 1,000 and how to c…
diff --git a/articles/azure-netapp-files/configure-ldap-extended-groups.md b/articles/azure-netapp-files/configure-ldap-extended-groups.md
@@ -1,5 +1,5 @@
 ---
-title: Enable Active Directory Domain Services (ADDS) LDAP authentication for NFS volumes | Microsoft Docs
+title: Enable Active Directory Domain Services (AD DS) LDAP authentication for NFS volumes | Microsoft Docs
 description: Describes the considerations and steps for enabling LDAP with extended groups when you create an NFS volume by using Azure NetApp Files.  
 services: azure-netapp-files
 documentationcenter: ''
@@ -12,12 +12,15 @@ ms.service: azure-netapp-files
 ms.workload: storage
 ms.tgt_pltfrm: na
 ms.topic: how-to
-ms.date: 05/27/2022
+ms.date: 01/30/2023
 ms.author: anfdocs
 ---
-# Enable Active Directory Domain Services (ADDS) LDAP authentication for NFS volumes
+# Enable Active Directory Domain Services (AD DS) LDAP authentication for NFS volumes
 
-When you [create an NFS volume](azure-netapp-files-create-volumes.md), you have the option to enable the LDAP with extended groups feature (the **LDAP** option) for the volume. This feature enables Active Directory LDAP users and extended groups (up to 1024 groups) to access files and directories in the volume. You can use the LDAP with extended groups feature with both NFSv4.1 and NFSv3 volumes. 
+When you [create an NFS volume](azure-netapp-files-create-volumes.md), you can enable the LDAP with extended groups feature (the **LDAP** option) for the volume. This feature enables Active Directory LDAP users and extended groups (up to 1024 groups) to access files and directories in the volume. You can use the LDAP with extended groups feature with both NFSv4.1 and NFSv3 volumes. 
+
+> [!NOTE]
+> By default, in Active Directory LDAP servers, the `MaxPageSize` attribute is set to a default of 1,000. This setting means that groups beyond 1,000 are truncated in LDAP queries. To enable full support with the 1,024 value for extended groups, the `MaxPageSiz`e attribute must be modified to reflect the 1,024 value. For information about how to change that value, see [How to view and set LDAP policy in Active Directory by using Ntdsutil.exe](/troubleshoot/windows-server/identity/view-set-ldap-policy-using-ntdsutil).
 
 Azure NetApp Files supports fetching of extended groups from the LDAP name service rather than from the RPC header. Azure NetApp Files interacts with LDAP by querying for attributes such as usernames, numeric IDs, groups, and group memberships for NFS protocol operations.
 
@@ -37,13 +40,13 @@ The following information is passed to the server in the query:
 
 ## Considerations
 
-* You can enable the LDAP with extended groups feature only during volume creation. This feature cannot be retroactively enabled on existing volumes.  
+* You can enable the LDAP with extended groups feature only during volume creation. This feature can't be retroactively enabled on existing volumes.  
 
-* LDAP with extended groups is supported only with Active Directory Domain Services (ADDS) or Azure Active Directory Domain services (AADDS). OpenLDAP or other third-party LDAP directory services are not supported. 
+* LDAP with extended groups is supported only with Active Directory Domain Services (AD DS) or Azure Active Directory Domain services (AADDS). OpenLDAP or other third-party LDAP directory services aren't supported. 
 
-* LDAP over TLS must *not* be enabled if you are using Azure Active Directory Domain Services (AADDS).  
+* LDAP over TLS must *not* be enabled if you're using Azure Active Directory Domain Services (AADDS).  
 
-* You cannot modify the LDAP option setting (enabled or disabled) after you have created the volume.  
+* You can't modify the LDAP option setting (enabled or disabled) after you've created the volume.  
 
 * The following table describes the Time to Live (TTL) settings for the LDAP cache. You need to wait until the cache is refreshed before trying to access a file or directory through a client. Otherwise, an access or permission denied message appears on the client. 
 
@@ -53,7 +56,7 @@ The following information is passed to the server in the query:
     | Unix groups  | 24-hour TTL, 1-minute negative TTL  |
     | Unix users  | 24-hour TTL, 1-minute negative TTL  |
 
-    Caches have a specific timeout period called *Time to Live*. After the timeout period, entries age out so that stale entries do not linger. The *negative TTL* value is where a lookup that has failed resides to help avoid performance issues due to LDAP queries for objects that might not exist.
+    Caches have a specific timeout period called *Time to Live*. After the timeout period, entries age out so that stale entries don't linger. The *negative TTL* value is where a lookup that has failed resides to help avoid performance issues due to LDAP queries for objects that might not exist.
     
 * The **Allow local NFS users with LDAP** option in Active Directory connections intends to provide occasional and temporary access to local users. When this option is enabled, user authentication and lookup from the LDAP server stop working, and the number of group memberships that Azure NetApp Files will support will be limited to 16.  As such, you should keep this option *disabled* on Active Directory connections, except for the occasion when a local user needs to access LDAP-enabled volumes. In that case, you should disable this option as soon as local user access is no longer required for the volume. See [Allow local NFS users with LDAP to access a dual-protocol volume](create-volumes-dual-protocol.md#allow-local-nfs-users-with-ldap-to-access-a-dual-protocol-volume) about managing local user access.
 
