Enabling Inefficient and Expensive LDAP Query Logging






Enabling Inefficient and Expensive LDAP Query Logging

Problem

You want to log inefficient and expensive LDAP queries to the Directory Services event log.

Solution

To log a summary report about the total number of searches, total expensive searches, and total inefficient searches to the Directory Services event log, set the 15 Field Engineering diagnostics logging setting to 4. This summary is generated every 12 hours during the garbage collection cycle.

To log an event to the Directory Services event log every time an expensive or inefficient search occurs, set the 15 Field Engineering diagnostics logging setting to 5.

See Recipe 16.2 for more on enabling diagnostics logging.

Discussion

A search is considered expensive if it has to visit a large number of objects in Active Directory. The default threshold for an expensive query is 10,000. That means any search that visits 10,000 or more objects would be considered expensive. A search is considered inefficient if it returns less than 10 percent of the total objects it visits. If a query visited 10,000 objects and only returned 999 of them (less than 10 percent), it would be considered inefficient. The default bottom limit for an inefficient query is 1,000. If it returned 1,000 instead, it would not be considered inefficient. To summarize, with 1,000 being the default bottom threshold, no search that visits less than 1,000 entries (even if it visited 999 and returned 0) would be considered inefficient.

Here is a sample summary report event that is logged when 15 Field Engineering is set to 4:

	Event Type:        Information
	Event Source:        NTDS General
	Event Category:        Field Engineering
	Event ID:        1643
	Date:                5/24/2003
	Time:                7:24:24 PM
	User:                NT AUTHORITY\ANONYMOUS LOGON
	Computer:        DC1
	Description:
	Internal event: Active Directory performed the following number of search operations
	within this time interval.

	Time interval (hours): 9
	Number of search operations: 24679

	During this time interval, the following number of search operations were
	characterized as either expensive or  
inefficient.

	Expensive search operations: 7
	Inefficient search operations: 22

If you set 15 Field Engineering to 5, the summary event is logged during the garbage collection cycle, and event 1644 is generated every time an expensive or inefficient search occurs. Setting this value can provide useful information if you are running applications that regularly generate expensive or inefficient queries. Notice that this event provides details on all aspects of the search, including the client IP, authenticating user, search base DN, search filter, attributes, controls, number of entries visited, and number of entries returned. This was taken from a Windows Server 2003 domain controller. Windows 2000 does not provide quite as much detail:

	Event Type:        Information
	Event Source:        NTDS General
	Event Category:        Field Engineering
	Event ID:        1644
	Date:                5/24/2003
	Time:                7:50:40 PM
	User:                RALLENCORP\rallen
	Computer:        DC1
	Description:
	Internal event: A client issued a search operation with the following options.

	Client: 192.168.4.14
	Starting node: DC=rallencorp,DC=com
	Filter: (description=*)
	Search scope: subtree
	Attribute selection: cn
	Server controls:

	Visited entries: 10340
	Returned entries: 1000

With the default settings, the query shown in the above event is considered both expensive and inefficient. It is expensive because it visited more than 10,000 entries. It is inefficient because it returned less than 10 percent of those entries.

You can customize what a domain controller considers expensive and inefficient by creating a couple of registry values under the HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters key. You can create a value named Expensive Search Results Threshold of type DWORD and specify the number of entries a search would need to visit to be considered expensive. Similarly, you can create a value named Inefficient Search Results Threshold of type DWORD and specify the minimum number of entries visited where a match returning less than 10 percent would be considered inefficient.

If you want to see all the LDAP queries that are being sent to a domain controller, a quick way to do that would be to set the 15 Field Engineering setting to 5 and Expensive Search Results Threshold to 0. This would cause the domain controller to consider every search as expensive and log all the LDAP searches. While this can be very useful, you should use it with care as it could quickly fill your event log. Be sure to allow sufficient disk space for your Event Logs to avoid any issues with low disk space on your domain controllers.


See Also

Recipe 16.2 for enabling diagnostics logging



 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows