Finding Expensive LDAP queries in LDS or Active Directory

Overview

This is a quick guide on how to find expensive & inefficient LDAP queries running against Active Directory or Lightweight Directory Services.

Steps

1. While the CPU is running high change the following registry key to "5"

1. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Diagnostics\15 Field Engineering  

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Diagnostics\15 Field Engineering

2. Update or create the following registry values to the desired threshold in miliseconds. (Data Type Should be DWORD) The values below are the default values.

1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Expensive Search Results Threshold  = 10,000  
2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Inefficient Search Results Threshold = 1,000  
3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Search Time Threshold (msecs) = 30,000  

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Expensive Search Results Threshold  = 10,000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Inefficient Search Results Threshold = 1,000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Search Time Threshold (msecs) = 30,000

3. Let that run for a period of time during the high CPU issues.
4. Open the Directory Services Log
5. The events with 1644 as the eventID should give you an idea of where the traffic is coming from and what queries are being ran against the server.

Note: Dont forget to change the "15 Field Engineering" value back to 0 when you are done troubleshooting.

Understanding Proxy Authentication with multiple domains in AD LDS

Understanding Proxy Authentication with multiple domains in Active Directory LDS


What is Proxy Authentication?

Proxy Authentication allows a user to authenticate against an AD LDS instance while using the password that is stored in Active Directory. In AD LDS you can use AdamSync.exe to create a UserProxy or UserProxyFull object in AD LDS. The Proxy object in AD LDS looks like a traditional user object however it does not have a password stored on it. When an application is pointed to the AD LDS instance and tries to authenticate the AD LDS server pass the SID and password to the domain controller to verify the credentials are correct.


Proxy Authentication with Multiple Domains

ADMT Unable to create or merge object

Problem:

Recently i was migrating a large group of user accounts from one domain to another and the ADMT tool crashed on me unexpectedly. When i restarted the tool one of the accounts gave me the following error "2014-07-01 09:40:15 WRN1:7665 Unable to create or merge object 'CN=John Doe,OU=Users,DC=Domain,DC=com' as another instance of ADMT is currently creating or merging the same object." After searching online i figured out the following steps to resolve this issue.

Resolution:

Configuring AD LDS to sync with Multiple AD Domains

Problem

- You have user accounts in two domains that you would like to be able to authenticate from an application that can only look at one LDAP server at a time.

Prerequisites
- Windows 2008 R2
- 2 Active Directory Domains with a trust between the two

Solution: