3

I'm working on planning a DC rebuild, and I'm trying to be as thorough as possible before demoting the old one. Is there any way to view all LDAP connections to a DC either by source IP or hostname?

Geoff
  • 57
  • 1
  • 5
  • Possible duplicate of [How do you trace/debug LDAP connections against Active Directory?](http://serverfault.com/questions/280042/how-do-you-trace-debug-ldap-connections-against-active-directory) – Ryan Bolger Feb 25 '16 at 19:43
  • It's not clear to me why you think this is necessary. If you're replacing this DC, and the appropriate DNS records are created for the new DC, and the DNS client settings on the domain members are updated/configured correctly, why do you need to know how many LDAP calls there are to the old DC? – joeqwerty Feb 25 '16 at 19:48
  • Do you have applications or non-domain joined hosts that submit LDAP queries to this DC? – joeqwerty Feb 25 '16 at 19:52
  • @RyanBolger I think the ADInsight tool from that link might be able to get what I need. – Geoff Feb 25 '16 at 20:00

1 Answers1

7

If you're trying to be as thorough as possible, keep in mind that LDAP is not the only service a domain controller offers. You could have a 100 Linux servers that are configured to use that domain controller as a DNS resolver, for example. (Or NTP time, etc.)

But to more directly answer your question, there are several techniques that you could employ with varying degrees of success to find clients who are performing LDAP binds against this domain controller.

  • The NTDS\LDAP Client Sessions performance counter. (The limitations of this are that this does not help you identify who is using LDAP, just that someone is. Also keep in mind that this counter will still show a few connections because a DC will maintain several LDAP connections even to itself.)
  • The Active Directory Diagnostics Data Collector Set. (It's also in perfmon and it is awesome.)
  • Network Monitor/Wireshark.
  • If you use Windows Firewall, then it has the ability to log all connections if you configure it to do so.
  • Change the value of the registry entry HKLM\SYSTEM\CurrentControlSet\services\NTDS\Diagnostics -> 15 Field Engineering to 5, and then set HKLM\SYSTEM\CurrentControlSet\services\NTDS\Parameters -> Expensive Search Results Threshold to 1. This "tricks" AD into thinking that literally every LDAP query is an "expensive" one, because a value of 1 means "if even 1 object is touched during this query, then consider it expensive." These events will be logged to the Directory Services log, and they include client IP addresses.

In the same vein as my first paragraph, also keep in mind that just because no one is binding to your LDAP server, doesn't even mean that no one is using LDAP! LDAP also has a UDP component, often referred to as cLDAP... connectionless LDAP, that operates on UDP 389. This does not count as a bind, however, Windows clients still use this during the domain controller locator process.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197