Finding Expensive LDAP queries in LDS or Active Directory

Overview

This is a quick guide on how to find expensive & inefficient LDAP queries running against Active Directory or Lightweight Directory Services.

Steps

1. While the CPU is running high change the following registry key to "5"

1. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Diagnostics\15 Field Engineering  

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Diagnostics\15 Field Engineering

2. Update or create the following registry values to the desired threshold in miliseconds. (Data Type Should be DWORD) The values below are the default values.

1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Expensive Search Results Threshold  = 10,000  
2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Inefficient Search Results Threshold = 1,000  
3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Search Time Threshold (msecs) = 30,000  

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Expensive Search Results Threshold  = 10,000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Inefficient Search Results Threshold = 1,000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Search Time Threshold (msecs) = 30,000

3. Let that run for a period of time during the high CPU issues.
4. Open the Directory Services Log
5. The events with 1644 as the eventID should give you an idea of where the traffic is coming from and what queries are being ran against the server.

Note: Dont forget to change the "15 Field Engineering" value back to 0 when you are done troubleshooting.

Logging Levels

15 Field Engineering

The following logging levels are available for the "15 Field Engineering" field.
Each entry can be assigned a value from 0 through 5, and this value determines the level of detail of the events that are logged. The logging levels are described as:

• 0 (None): Only critical events and error events are logged at this level. This is the default setting for all entries, and it should be modified only if a problem occurs that you want to investigate.
• 1 (Minimal): Very high-level events are recorded in the event log at this setting. Events may include one message for each major task that is performed by the service. Use this setting to start an investigation when you do not know the location of the problem.
• 2 (Basic)
• 3 (Extensive): This level records more detailed information than the lower levels, such as steps that are performed to complete a task. Use this setting when you have narrowed the problem to a service or a group of categories.
• 4 (Verbose)
• 5 (Internal:): This level logs all events, including debug strings and configuration changes. A complete log of the service is recorded. Use this setting when you have traced the problem to a particular category of a small set of categories.

Expensive Search Results Threshold

• Expensive LDAP calls are the searches those visit large number of entries. Default threshold for expensive search is 10,000 which means if an LDAP call visit 10,000 or more entries then it will be consider as an expensive call.

Inefficient Search Results Threshold

• Inefficient LDAP calls are the searches those return less than 10% of visited entries. For example, if a query visit 10,000 entries in active directory but only return 100 entries then it will be consider inefficient query as return entries are less than 10% of total visited entries. Default visited entries threshold limit for inefficient query is 1,000 which means if a query visit less than 1000 entries then it will not be consider inefficient query even though if it return no entry.

Search Time Threshold (msecs)

• LDAP calls that last longer than the defined setting. Default setting is 30,000 milliseconds (30 seconds)