How to check and change MTU value on the Windows server/computer

MTU is Maximum Transmission Unit and it's the size of the biggest packet that can be sent without being fragmented. By default it's set to 1500 on Windows systems (and on most of other types of systems). When source or destination device sends or receives data that is bigger than the MTU, it fragments the data so it's sent in several packets of MTU size. So if the MTU is set to 1500 and the data will be 2000 bytes, there will be two packets sent - 1500 and 500. By default 28 bytes are taken by so called frame, which is information about a packet and not the data itself. Why is MTU setting important? Well, not all kinds of data can be fragmented and secondly, inconsistency in MTU size can cause issues. If one device sends packets fragmented to 1500 and the receiving device has MTU set to 1400, it won't accept the packets at all.

I had an issue that for some reason one of the servers had MTU persistent value set to 1496. This was a domain controller and that caused AD replication to fail. It took a while to find the cause and turned out it was the incorrect MTU value because the replication partner of this DC was sending 1500 bytes packets and they were not allowed. However the value set on server was set to 1500, the maximum allowed packet was 1496. This was caused by additional 4 bytes added to the frame by backup software and backup NIC. As a workaround it was decided to change the value of MTU on both replication partners to 1400 which immediately resolved the issue.

How to check MTU value:

Open command prompt as Administrator and run the following command:

    netsh int ip show interfaces

the result should be similar to this:

Sometimes, as described in the issue above, the actual MTU value can be lower then the one set up on the interface. To check the actual accepted MTU size you can use mturoute tool: 

    https://www.elifulkerson.com/projects/mturoute.php 

which can show you MTU values on all devices in the path and help you to find the bottleneck.

Also to check the biggest packet size regardless of MTU set up you can use ping and trial/error approach - accepted size will reply, too big size will time out

    ping destination_ip -l packet_size

example: ping 10.10.10.10 -l 1500

How to change MTU value:

Open command prompt as Administrator and run the following command

    netsh int ip set subinterface "interface_number" mtu="mtu_value" store=persistent

example: netsh int ip set subinterface 17 mtu=1500 store=persistent

How to find all subnets for the specific Active Directory site

Start the command prompt as an Administrator and run the command:

dsquery subnet -o rdn -site Site_Name -limit limit_number>>output_path_file

example:
dsquery subnet -o rdn -site SITE1 -limit 50>>C:\temp\subnets.txt

Limit access to thumbnailPhoto AD attribute

I was going through the web on how to limit access for thumbnailPhoto AD attribute but I could only find how to grant access or enable the attribute so I had to dig in by myself a bit.

Why to limit access?

First of all you have no control over what users are uploading as their photos. It can be someone else's photo (model, actor etc.), or someone else's from the same company, it can be even animal or a thing like a car or whatever. Then it can be something against your company's policy or even against the law like some racist pictures or child pornography or even worse. You don't want that.

Second of all your AD database will grow with each picture and keeping in mind that AD is for identity and access management you want to keep it working as effective as you can. Gigabytes of pictures replicating through the network don't help in that. You will have to think of bigger HDDs for your servers as well.

What options are there?

There are two ways basically - you can limit access for uploading photos and if necessary grant the access for a desired group of people or limit the maximum allowed size of picture that can be uploaded to AD.

How to do it?

For limiting access you will need to have Domain Admin access for your account or lower access level dependably on container you will apply the changes to. 

You can go to the core of the domain in ADUC (or any OU), right click and go to properties, then Security tab. From there click on Advanced. In the Advanced window click Add. Type in Everyone as an object name and click OK. In the next window go to Properties tab and from the drop-down list choose User objects or Descendant User objects (dependable on the container you are editing). Then scroll down almost to the very bottom to find Write thumbnailPhoto and check Deny box. Click OK. Now nobody can add a photo to AD. You may want to pick SELF instead of Everyone so then nobody can upload pictures for themselves but then a specified group of people (HR or whatever) can do that for everyone.

To change the maximum allowed picture size (by default it's 100KB) you must be a Schema Admins member. 

Go to the server that holds Schema Master role, open ADSI Edit, connect to the Schema tree, scroll down to CN=Picture, right click and click on Properties. In the Attribute Editor tab go down to rangeUpper and change it to desired value in Bytes. As a workaround of the above method you can set up this value to 1 Byte.