Hi, here is a new article to explain how to limit ldap queries (in order to minimize attacks or to minimize impact on the performance of ldap/AD server):
AD does not allow anonymous connection: http://support.microsoft.com/kb/326690/en-us
By default, anonymous Lightweight Directory Access Protocol (LDAP) operations to Active Directory, other than rootDSE searches and binds, are not permitted in Microsoft Windows Server 2003 or greater.
Using ntdsutil to limit AD queries: https://support.microsoft.com/kb/315071/en-us
These limits prevent specific operations from adversely affecting the performance of the server, and also make the server more resilient to some types of attacks.
Windows Server 2008 and newer domain controller returns only 5000 values in a LDAP response: http://support.microsoft.com/kb/2009267
Override the hardcoded LDAP Query limits introduced in Windows Server 2008 and Windows Server 2008 R2: http://blogs.technet.com/b/qzaidi/archive/2010/09/02/override-the-hardcoded-ldap-query-limits-introduced-in-windows-server-2008-and-windows-server-2008-r2.aspx