Recipe 15.8 Enabling Inefficient and Expensive LDAP Query Logging

15.8.1 Problem

You want to log inefficient and expensive LDAP queries to the Directory Services event log.

15.8.2 Solution

To log a summary report about the total number of searches, total expensive searches, and total inefficient searches to the Directory Services event log, set the 15 Field Engineering diagnostics logging setting to 4. This summary is generated every 12 hours during the garbage collection cycle.

To log an event to the Directory Services event log every time an expensive or inefficient search occurs, set the 15 Field Engineering diagnostics logging setting to 5.

See Recipe 15.2 for more on enabling diagnostics logging.

15.8.3 Discussion

A search is considered expensive if it has to visit a large number of objects in Active Directory. A search is considered inefficient if it returns less than 10% of the total objects it visits. The default threshold for an expensive query is 10,000. That means any search that visits 10,000 or more objects would be considered expensive. The default bottom limit for an inefficient query is 1,000. If a query visited 1,000 objects and only returned 99 of them (less than 10%), it would be considered inefficient. If it returned 900 instead, it would not be considered inefficient. To summarize, with 1,000 being the default bottom threshold, no search that visits less than 1,000 entries (even if it visited 999 and returned 0) would be considered inefficient.

Here is an example summary report event that is logged when 15 Field Engineering is set to 4:

Event Type:        Information
Event Source:        NTDS General
Event Category:        Field Engineering 
Event ID:        1643
Date:                5/24/2003
Time:                7:24:24 PM
User:                NT AUTHORITY\ANONYMOUS LOGON
Computer:        DC1
Description:
Internal event: Active Directory performed the following number of search operations 
within this time interval. 
 
Time interval (hours):
9 
Number of search operations:
24679 
 
During this time interval, the following number of search operations were 
characterized as either expensive or inefficient. 
 
Expensive search operations:
7 
Inefficient search operations:
22

If you set 15 Field Engineering to 5, the summary event is logged during the garbage collection cycle, and event 1644 every time an expensive or inefficient search occurs. Notice that this event provides details on all aspects of the search including the client IP, authenticating user, search base DN, search filter, attributes, controls, number of entries visited, and number of entries returned. This was taken from a Windows Server 2003 domain controller. Windows 2000 does not provide quite as much detail.

Event Type:        Information
Event Source:        NTDS General
Event Category:        Field Engineering 
Event ID:        1644
Date:                5/24/2003
Time:                7:50:40 PM
User:                RALLENCORP\rallen
Computer:        DC1
Description:
Internal event: A client issued a search operation with the following options. 
 
Client:
192.168.4.14 
Starting node:
DC=rallencorp,DC=com 
Filter:
 (description=*)  
Search scope:
subtree 
Attribute selection:
cn
Server controls:
 
Visited entries:
10340 
Returned entries:
1000

With the default settings, the query shown in the above event is considered both expensive and inefficient. It is expensive because it visited more than 10,000 entries. It is inefficient because it returned less than 10% of those entries.

You can customize what a domain controller considers expensive and inefficient by creating a couple registry values under the HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters key. You can create a value named Expensive Search Results Threshold of type DWORD, and specify the number of entries a search would need to visit to be considered expensive. Similarly, you can create a value named Inefficient Search Results Threshold of type DWORD, and specify the minimum number of entries visited where a match returning less than 10% would be considered inefficient.

If you want to see all the LDAP queries that are being sent to a domain controller, a quick way to do that would be to set the 15 Field Engineering setting to 5 and Expensive Search Results Threshold to 0. This would cause the domain controller to consider every search as expensive and log all the LDAP searches. While this can be very useful, you should use it with care as it could quickly fill your event log.

15.8.4 See Also

Recipe 15.2 for enabling diagnostics logging



    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List