Finding Expensive LDAP queries in LDS or Active Directory

Overview

This is a quick guide on how to find expensive & inefficient LDAP queries running against Active Directory or Lightweight Directory Services.

Steps

1. While the CPU is running high change the following registry key to "5"

1. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Diagnostics\15 Field Engineering  

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Diagnostics\15 Field Engineering

2. Update or create the following registry values to the desired threshold in miliseconds. (Data Type Should be DWORD) The values below are the default values.

1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Expensive Search Results Threshold  = 10,000  
2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Inefficient Search Results Threshold = 1,000  
3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Search Time Threshold (msecs) = 30,000  

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Expensive Search Results Threshold  = 10,000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Inefficient Search Results Threshold = 1,000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Search Time Threshold (msecs) = 30,000

3. Let that run for a period of time during the high CPU issues.
4. Open the Directory Services Log
5. The events with 1644 as the eventID should give you an idea of where the traffic is coming from and what queries are being ran against the server.

Note: Dont forget to change the "15 Field Engineering" value back to 0 when you are done troubleshooting.

Understanding Proxy Authentication with multiple domains in AD LDS

Understanding Proxy Authentication with multiple domains in Active Directory LDS


What is Proxy Authentication?

Proxy Authentication allows a user to authenticate against an AD LDS instance while using the password that is stored in Active Directory. In AD LDS you can use AdamSync.exe to create a UserProxy or UserProxyFull object in AD LDS. The Proxy object in AD LDS looks like a traditional user object however it does not have a password stored on it. When an application is pointed to the AD LDS instance and tries to authenticate the AD LDS server pass the SID and password to the domain controller to verify the credentials are correct.


Proxy Authentication with Multiple Domains

Enabling LDAP over SSL with AD LDS

Enabling LDAP over SSL with AD LDS

1. Create a new server authentication/Web server certificate. LINK
2. Import the certificate into the Certificates store for the local service of the instance. LINK
3. Grant Read permission on the server authentication certificate to the same account that the LDS service is running as typically "Network Service" account
4. Open the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder and verify that "Network Service", "Administrators" & "System" have read access to all of the certs.
5. Verify SSL is required on the LDS instance:

• Open ADSI Edit and connect to the configuration partition of the LDS instance
• Navigate to CN=Directory Service,CN=Windows NT, CN=Services
• Right click on CN=Directory Service and select properties
• Click the msDS-Other-Settings attribute and select edit
• Verify this value is set to 1 RequireSecureProxyBind

  6.   Restart the LDS Instance.
  7.   Use LDP.exe to test SSL

• Open ldp.exe
• Click connection -> Connect
• Enter the FQDN of the server
• Change the port. (Default is 636)
• Check the box for SSL
• Click ok to connect.