This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 32%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKA%3C/text%3E%3C/svg%3E)
Is there any mechanism to log all LDAP operation details for Active Directory on the domain controllers (preferably in one place)? I know you can turn on diagnostic logging for queries, but I want to see things like modify operations and what attributes are being modified along with the return codes back to the clients as well as bind calls with the actual DN string being sent by the client. AD Insight (the SysInternals tool) did some of that, but it was meant to be run at the client end, not the domain controller. I've tried turning on various options in the NTDS Diagnostics registry key, but I don't get anything that seems useful. Google searches haven't turned up much other than the query logging. Even if it's a third party tool, I'm just looking for anything that can give me the data. I'd use Wireshark, but it can be hard to grab the data on a busy server and there's no way to use it when the client is using LDAPS with an encryption cipher that can't be decrypted with the private key alone.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 98%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
On domain controllers, several techniques exist to log all LDAP activity information for Active Directory. Here are several possibilities:
Let me know if you have any queries.
I appreciate the suggestions, but I've already covered all of them in my post.
Hello Alan,
Before that "answer" from Amit, I was pondering whether there would be any value in posting a "probably not practicable" response.
As far as I know, there are no "off-the-shelf" solutions that would meet your needs. The only ways I know of to access that type of information are to "instrument" the LDAP server via debug mechanisms or to "proxy" the LDAP server - neither method is anywhere near appropriate for a production system.
Gary
That was kind of my thought as well. It just seems odd that if Active Directory is ostensibly built to function as an LDAP server that Microsoft wouldn't have given us a way to log and audit what the server is doing from an LDAP perspective. I'm just trying to reach as definitive of a conclusion as I can that there's nothing out there that can do that before I make that my standard answer when trying to troubleshoot LDAP related issues.
Hello Alan,
The Event Tracing for Windows (ETW) MOF provider "Active Directory Domain Services: Core" provides some (but not all) of the information that you are looking for. Perhaps worth checking it out.
logman start gary -ets -p "Active Directory Domain Services: Core" -o adequate.etl
[perform some operations]
logman stop gary -ets
Gary
Thanks. We've tried to use that method in the past as well. That does give me some data, but definitely not all (and what it does give is often just the top percentage of whatever activity it managed to grab). It also requires very short term logging and often can take hours to complete the processing of the output with just a 5 minute capture time (at least in our environment).
Hello Alan,
As you have probably already concluded, it is very unlikely that there is any "suitable for use on a production AD server" data gathering technique/technology that will meet your requirements (whatever they are - that is still rather unclear).
The "Active Directory Domain Services: Core" provider does not give the authenticated client identity, modified attribute names/values, extended controls, etc. but it does give a pretty accurate view of the LDAP activity.
What do you mean by "top percentage of whatever activity it managed to grab"? With suitable buffer size/numbers, the provider should be able to record all activity.
What processing are you performing on the recorded data that takes hours to complete? The provider can log to a sequence of files, so one can just process the events in manageable chunks.
The data captured for a "typical" operation seems to be about 1 kilobyte in size (4 events: LDAP request start/stop, operation start/stop) - capturing "everything" (if possible) would generate much more data.
Gary
What I'm looking to have is essentially what you get with NTDS diagnostics turned on for expensive searches (which can be configured to basically log every search if you set the time limit down to 1ms) only to include BIND and MODIFY LDAP operations. What I've found is that domain controllers only log authentication attempt events (success or failure) in the Security log if the user account is valid, and it only logs it as doman\user. So that doesn't help me troubleshoot when applications are sending an invalid DN for the user because it doesn't show up in the security log. I think there might be logging for object modification, but my recollection, again, is that anything like that does not actually log unless the object is valid and only indicates a failure if it's an access issue rather than something like an attempt to update an attribute that's not in schema or that's violating schema syntax. Essentially, I want a single log that captures every LDAP request and response that comes in, something that has history and can be forwarded to something like Splunk for more intensive searching. I have that in every other directory product that we use. I'm just severely limited in helping to troubleshoot anything when it comes to LDAP calls in AD.
If I run the default AD Diagnostics event collector in Perfmon, it runs for 5 minutes and then processes the data. Historically on our prod servers, this can end up taking hours to finish processing the output so that we can see the report as it chews up resources on the server, slowing everything down. Looking at a sample report, though, all the fields indicate they are limited to the top 10 or 25 results. Things like Directory Modify looks to be mainly DS-based rather than LDAP specific, and it gives no information about what is being modified. The bind sections just tell you how many and how long they took. The search section has the most information, but I already know how to get that information in the event logs. I mainly use that report to look at how things are impacting performance on the box because that's often the only useful data that it offers.
I appreciate the pointers. I'll see if there's anything I can tweak about what actually gets collected or how to make the report give more information than just the top values. I think, though, that it really sounds like there isn't anything specifically for AD that will get me the kind of logging or data view that I'm looking for.
