The IIQ aggregation operation features several hooks for running rules to process and to format the info into an identity-friendly resource object. As a side effect, each per-account processing takes some time and so the time per page grows directly with the number of accounts to aggregate. Under some conditions, the time to process a page of accounts exceeds the AD server's timeout settings. This results in a timeout exception when fetching the next page of accounts from the AD server.
To fix this scenario, either
1) rework the rules to shorten the processing;
2) redefine IIQ's application settings to fetch fewer accounts in a single page;
3) redefine IIQ's application settings to fetch the entire account list in a the initial page;
4) re-cfg the AD server to allow sufficient time to process a page of accounts.
While the IIQ UI provides fields to accomplish the first 3 options, yet the final option requires an AD admin tool. The "ntdsutil.exe" tool displays the AD policy settings. For example, this MS-Support link detail the tool/policy:
http://support.microsoft.com/kb/315071
MaxConnIdleTime - The maximum time in seconds that the client can be idle before the LDAP server closes the connection. If a connection is idle for more than this time, the LDAP server returns an LDAP disconnect notification.
Default value: 900 seconds