Enabling Inefficient and Expensive LDAP Query Logging
To log a summary report about the total number of searches, total expensive searches, and total inefficient searches to the Directory Services event log, set the 15 Field Engineering diagnostics logging setting to 4. This summary is generated every 12 hours during the garbage collection cycle.
To log an event to the Directory Services event log every time an expensive or inefficient search occurs, set the 15 Field Engineering diagnostics logging setting to 5.
See Recipe 16.2 for more on enabling diagnostics logging.
A search is considered expensive if it has to visit a large number of objects in Active Directory. The default threshold for an expensive query is 10,000. That means any search that visits 10,000 or more objects would be considered expensive. A search is considered inefficient if it returns less than 10 percent of the total objects it visits. If a query visited 10,000 objects and only returned 999 of them (less than 10 percent), it would be considered inefficient. The default bottom limit for an inefficient query is 1,000. If it returned 1,000 instead, it would not be considered inefficient. To summarize, with 1,000 being the default bottom threshold, no search that visits less than 1,000 entries (even if it visited 999 and returned 0) would be considered inefficient.
Here is a sample summary report event that is logged when 15 Field Engineering is set to 4:
Event Type: Information Event Source: NTDS General Event Category: Field Engineering Event ID: 1643 Date: 5/24/2003 Time: 7:24:24 PM User: NT AUTHORITY\ANONYMOUS LOGON Computer: DC1 Description: Internal event: Active Directory performed the following number of search operations within this time interval. Time interval (hours): 9 Number of search operations: 24679 During this time interval, the following number of search operations were characterized as either expensive or inefficient. Expensive search operations: 7 Inefficient search operations: 22
If you set 15 Field Engineering to 5, the summary event is logged during the garbage collection cycle, and event 1644 is generated every time an expensive or inefficient search occurs. Setting this value can provide useful information if you are running applications that regularly generate expensive or inefficient queries. Notice that this event provides details on all aspects of the search, including the client IP, authenticating user, search base DN, search filter, attributes, controls, number of entries visited, and number of entries returned. This was taken from a Windows Server 2003 domain controller. Windows 2000 does not provide quite as much detail:
Event Type: Information Event Source: NTDS General Event Category: Field Engineering Event ID: 1644 Date: 5/24/2003 Time: 7:50:40 PM User: RALLENCORP\rallen Computer: DC1 Description: Internal event: A client issued a search operation with the following options. Client: 192.168.4.14 Starting node: DC=rallencorp,DC=com Filter: (description=*) Search scope: subtree Attribute selection: cn Server controls: Visited entries: 10340 Returned entries: 1000
With the default settings, the query shown in the above event is considered both expensive and inefficient. It is expensive because it visited more than 10,000 entries. It is inefficient because it returned less than 10 percent of those entries.
You can customize what a domain controller considers expensive and inefficient by creating a couple of registry values under the HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters key. You can create a value named Expensive Search Results Threshold of type DWORD and specify the number of entries a search would need to visit to be considered expensive. Similarly, you can create a value named Inefficient Search Results Threshold of type DWORD and specify the minimum number of entries visited where a match returning less than 10 percent would be considered inefficient.