Finding Expensive LDAP queries in LDS or Active Directory

Overview

This is a quick guide on how to find expensive & inefficient LDAP queries running against Active Directory or Lightweight Directory Services.

Steps

1. While the CPU is running high change the following registry key to "5"

1. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Diagnostics\15 Field Engineering  

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Diagnostics\15 Field Engineering

2. Update or create the following registry values to the desired threshold in miliseconds. (Data Type Should be DWORD) The values below are the default values.

1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Expensive Search Results Threshold  = 10,000  
2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Inefficient Search Results Threshold = 1,000  
3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Search Time Threshold (msecs) = 30,000  

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Expensive Search Results Threshold  = 10,000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Inefficient Search Results Threshold = 1,000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Search Time Threshold (msecs) = 30,000

3. Let that run for a period of time during the high CPU issues.
4. Open the Directory Services Log
5. The events with 1644 as the eventID should give you an idea of where the traffic is coming from and what queries are being ran against the server.

Note: Dont forget to change the "15 Field Engineering" value back to 0 when you are done troubleshooting.