none
"More LDAP failures than successes are occuring" error

    Question

  • Hi,

    I was using the Data Collector Set "Active Directory Diagnostics" and it returned with this error on LDAP:

    More LDAP failures than successes are occuring

    Size Limit Exceeded

    So I tried to search for something like this on Bing to check what to do to troublesshot or fix the error, but I can't find anything.

    Anyone can point me in the right direction?



    Monday, December 19, 2016 4:52 PM

Answers

  • Hi Vandrey,

    Yes could be some application, even if you have exchange or lync running this could doing ldapsearch. 

    Try carrying out the checks during the offpeak hours when it is quiet and no user load, you might get different results.


    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Tuesday, December 20, 2016 12:56 PM

All replies

  • Hi

     First check this troubleshooting article (maybe already check)

    https://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(v=ws.10).aspx

    Also please share "dcdiag","repadmin /replsum" results..


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, December 19, 2016 5:47 PM
  • Burak Uğur,

    Thanks for replying. I'll read that site.

    Here are the results:

    DCDIAG

    Directory Server Diagnosis

    Performing initial setup:

       Trying to find home server...
       Home Server = SRV-AD01
       * Identified AD Forest.
       Done gathering initial info.

    Doing initial required tests
      
       Testing server: Primeiro-site-padrao\SRV-AD01
          Starting test: Connectivity
             ......................... SRV-AD01 passed test Connectivity
    Doing primary tests
      
       Testing server: Primeiro-site-padrao\SRV-AD01
          Starting test: Advertising
             ......................... SRV-AD01 passed test Advertising
          Starting test: FrsEvent
             ......................... SRV-AD01 passed test FrsEvent
          Starting test: DFSREvent
             ......................... SRV-AD01 passed test DFSREvent
          Starting test: SysVolCheck
             ......................... SRV-AD01 passed test SysVolCheck
          Starting test: KccEvent
             ......................... SRV-AD01 passed test KccEvent
          Starting test: KnowsOfRoleHolders
             ......................... SRV-AD01 passed test KnowsOfRoleHolders
          Starting test: MachineAccount
             ......................... SRV-AD01 passed test MachineAccount
          Starting test: NCSecDesc
             Error ORGANIZATIONNAME\Controladores de Dom¡nio de Empresa Somente Leitura
             doesn't have
                Replicating Directory Changes
             access rights for the naming context:
             DC=ORGANIZATIONNAME,DC=local
             ......................... SRV-AD01 failed test NCSecDesc
          Starting test: NetLogons
             ......................... SRV-AD01 passed test NetLogons
          Starting test: ObjectsReplicated
             ......................... SRV-AD01 passed test ObjectsReplicated
          Starting test: Replications
             ......................... SRV-AD01 passed test Replications
          Starting test: RidManager
             ......................... SRV-AD01 passed test RidManager
          Starting test: Services
             ......................... SRV-AD01 passed test Services
          Starting test: SystemLog
             An error event occurred.  EventID: 0x00000457
                Time Generated: 12/19/2016   16:00:39
                Event String:
                Driver WebEx Document Loader required for printer WebEx Document Loader is unknown. Contact the administrator to install the driver before you log in again.
             ......................... SRV-AD01 failed test SystemLog
          Starting test: VerifyReferences
             ......................... SRV-AD01 passed test VerifyReferences
      
      
       Running partition tests on : DomainDnsZones
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test
             CrossRefValidation
      
       Running partition tests on : ForestDnsZones
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test
             CrossRefValidation
      
       Running partition tests on : Schema
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation
      
       Running partition tests on : Configuration
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation
      
       Running partition tests on : ORGANIZATIONNAME
          Starting test: CheckSDRefDom
             ......................... ORGANIZATIONNAME passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... ORGANIZATIONNAME passed test CrossRefValidation
      
       Running enterprise tests on : ORGANIZATIONNAME.local
          Starting test: LocatorCheck
             ......................... ORGANIZATIONNAME.local passed test LocatorCheck
          Starting test: Intersite
             ......................... ORGANIZATIONNAME.local passed test Intersite

    REPADMIN /REPLSUM

    Replication Summary Start Time: 2016-12-19 16:05:24
    Beginning data collection for replication summary, this may take awhile:
      ......
    Source DSA          largest delta    fails/total %%   error
     SRV-AD-DES                14m:37s    0 /  10    0 
     SRV-AD01                  09m:04s    0 /  10    0 
     SRV-AD02                  14m:37s    0 /  10    0 
    Destination DSA     largest delta    fails/total %%   error
     SRV-AD-DES                05m:25s    0 /  10    0 
     SRV-AD01                  14m:37s    0 /  10    0 
     SRV-AD02                  09m:04s    0 /  10    0 

    Tried the same Data Collector set on the other two servers and got no warning on LDAP.

    SRV-AD01 is the primary DC and holds all FSMO's.


    Monday, December 19, 2016 6:05 PM
  • Replicating Directory Changes
             access rights for the naming context:

             DC=ORGANIZATIONNAME,DC=local >>> Try that one for related error;

    https://mpgnotes.wordpress.com/tag/error-nt-authorityenterprise-domain-controllers-doesnt-have-replicating-directory-changes-in-filtered-set-access-rights-for-the-naming-context-dcforestdnszonesdcdomainxxxdcxxx-security-permi/


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, December 19, 2016 6:13 PM
  • Burak Uğur,

    As the site you sent says: "This error not`s important if you don’t want to implement RODC"

    I don't have any and don't plan to use RODC servers in my organization...

    You think that it is related to the LDAP problem?


    PS: Using the AD Replication Status Tool, it reports no errors.
    Monday, December 19, 2016 6:24 PM
  • doesn't have

                Replicating Directory Changes
             access rights >>> It's seems to an permission error and have on Dcdiag as you see.if you don't have RODC it is not important but you want solve you should manually  fix it.just follow the steps on article.

    Note:Also there isn't any error replication issues on your replication summary...


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, December 19, 2016 7:04 PM
  • Burak Uğur,

    I did the manual fix today, but I have to wait to restart the server.

    About the LDAP problem... can't find an answer nowhere...

    Tuesday, December 20, 2016 10:42 AM
  • Hi Vandrey,

    I dont think DC is having issues with LDApSearch, this is by default when the LDAPsearch is exceeded over 1000 limit, way to get around is to follow this link.

    http://mcvictech.blogspot.co.uk/2013/02/override-active-directory-1000-row.html

    Hope this helps.


    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Tuesday, December 20, 2016 12:25 PM
  • JimmySal,

    Thanks for replying.

    I'm checking now at Server Performance Advisor.

    Got this errors there:

    SRV-AD-DES

    Directory Search - Possible misuse of PDNT index

    Kerberos Protocol - High error rate

    SRV-AD01

    Atypical TCP/IP Traffic from Active Directory

    Directory Search - Search client using too much CPU

    Kerberos Protocol - High error rate

    Service Principal Name Missing

    Maybe there is some application on my organization making this mess...

    Thanks anyway!

    Tuesday, December 20, 2016 12:43 PM
  • Hi Vandrey,

    Yes could be some application, even if you have exchange or lync running this could doing ldapsearch. 

    Try carrying out the checks during the offpeak hours when it is quiet and no user load, you might get different results.


    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Tuesday, December 20, 2016 12:56 PM
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 26, 2016 3:45 AM
    Moderator