none
Problem when LDAP-Querying the GC

    Question

  • Hello,

    in our Environment we have three Domains in one Active Directory Forests. Each Domain has two DCs. In one Domain i want to configure an Webapplication to (ldap) query the global catalog for Informations from another Domain.

    For testing purposes i tried to query by simple Linux-Ldapsearches, which works fine most of the time. But there is my Problem. It does not work reliable, because sometimes the ldapsearches take about 1 Minute. These long running Queries seems to be the  reason which makes my Webapplication time out.

    My assumption is, that these long running queries appear, when the DCs from this Domain replicate (I checked the times with repadmin /showrepl and it looks like there is an coherence.)

    Our Windows Guy cant help me out, so i hope somebody here does have experience in this field. Is it ok to use the Global Catalog for this requirement? Why is this happening? Has somebody ideas for further troubleshooting? It would be nice to use the GC, because if this works i do not have to use an LDAP-Proxy for this.

    best regards

    Stefan


    Wednesday, November 23, 2016 10:13 AM

All replies

  • Hello,

    First - Global Catalog is the same throughout the forest. This means that if you only want to query the GC, you may as well query DCs in your own domain or even in your own location. 

    Second - I have worked with LDAP queries on multiple occasions and have never noticed any correlation with AD replication. Answering LDAP query and performing replication are two separate activities that should not affect each other. So, I think that the most likely reasons for long response time are either a query that has too wide scope (or filter with a wildcard in the beginning) or querying the wrong DC. Can you try to check if you query the same or different DC when you have good and bad response times and also check if the query is the same in these cases?

    /Regards

    Wednesday, November 23, 2016 11:51 AM
  • I don't recall seeing an LDAP query affected by replication. I agree that you should check which DC is being contacted when the query takes a long time, to make sure it is local. I assume that all DC's in your forest are GC's. You just need to specify the GC port and let the system decide the best specific DC/GC to contact.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, November 23, 2016 1:35 PM
  • Hi Stefan,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, December 1, 2016 8:10 AM
    Moderator