none
How to track incoming LDAP queries to Domain Controllers?

    Question

  • Hello,

    I just found out that the previous Active Directory admin has enabled custom LDAP query policy and set MaxPageSize value to 5000 (default 1000). It's not known why this change has been made at the first place. After my research I learned that raising this value allows client applications to receive larger LDAP responses from the Domain Controllers.

    Customers IT has no idea for which application this value was changed for, but I'm sure nobody changed this setting for a no reason.

    To further investigate this, I would like to gather a list of all applications making LDAP queries to our Domain Controllers. What would be the best way to accomplish this? Our Domain Controllers are running WS2008R2 and WS2012/WS2012R2.

    Monday, March 6, 2017 3:58 PM

All replies

  • Hi

     Refer that;

    https://blogs.technet.microsoft.com/askpfeplat/2013/12/15/domain-and-dc-migrations-how-to-monitor-ldap-kerberos-and-ntlm-traffic-to-your-domain-controllers/

    Or use wireshark/Netmon to capture the traffic to analyze the packets.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Proposed as answer by Todd Heron Monday, March 6, 2017 10:55 PM
    Monday, March 6, 2017 4:01 PM
  • Years ago I did tests where my query retrieved about 3000 rows. I found the best performance with a page size of 200. Larger values resulted in slower response. That was just my experience, but the important point is to enable paging (perhaps by assigning a page size). I decided the actual value was less important.

    In your case, maybe the setting was supposed to be temporary, maybe as a test, and no one remembered to restore the default.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Proposed as answer by Todd Heron Monday, March 6, 2017 10:55 PM
    Monday, March 6, 2017 4:16 PM