Error processing control

Question

Hi all,

One of my applications is experiencing an issue connecting to the domain controller. They are encountering the following error in the application: [LDAP: error code 12 - 00000057: LdapErr: DSID-0C090D34, comment: Error processing control].

Could you please guide me on what errors to check on the Domain Controller? Also, how can I increase the MaxResultSetSize on the Domain Controller? I have 10 DCs, and the application is connecting to one DC. If I increase the MaxResultSetSize on one DC, will that be sufficient, or do I need to increase it on all DCs?

Answer 1

You's situation can happen if the server does not support the control or if the control is not appropriate for the operation type.

1. Verify Supported Controls: Ensure that the domain controller supports the control being requested. You can check the supported controls in the rootDSE.
2. Check Parameters: Make sure that the parameters being passed with the control are correct and appropriate for the operation.
3. Review Event Logs: Look at the event logs on the domain controller for any additional error messages or warnings that might provide more context.

   Increasing MaxResultSetSize:

   To increase the MaxResultSetSize on a Domain Controller, you can use the ntdsutil tool. Here are the steps:
   1. Open Command Prompt: Run as Administrator.
   2. Start ntdsutil: Type ntdsutil and press Enter.
   3. Enter LDAP Policies: Type ldap policies and press Enter.
   4. Connect to Server: Type connections and press Enter, then connect to server <YourServerName> and press Enter.
   5. Set MaxResultSetSize: Type q to return to the LDAP policies menu, then set MaxResultSetSize to <NewSize> and press Enter.

Answer 2

Hello,

The error you’re encountering, [LDAP: error code 12 - 00000057: LdapErr: DSID-0C090D34, comment: Error processing control] , indicates an issue with LDAP control processing, which might be caused by several factors, such as invalid LDAP controls being sent, insufficient permissions, or various other misconfigurations.

Steps to Check Errors on the Domain Controller:

1. Check Event Logs:
   • Open the Event Viewer on the domain controller.
   • Navigate to Windows Logs > Directory Service.
   • Look for any errors or warnings that might be related to LDAP or the specific application.
2. Verify LDAP Bind Permissions:
   • Ensure that the account used by the application to bind to the LDAP server has the necessary permissions.
3. Review Application Configuration:
   • Check the application’s LDAP configuration. Ensure that it is correctly pointed to the appropriate DN (Distinguished Name), and that any LDAP controls or filters are correctly formatted.
4. Inspect Network Connectivity:
   • Verify network connectivity between the application server and the domain controller.

Increasing the MaxResultSetSize:

The MaxResultSetSize is a parameter that controls the maximum number of entries returned in a search result set. Increasing this value can help if the application is hitting the limit during its queries.

• Open ADSI Edit and connect to the Configuration container.
• Navigate to CN=Query-Policies,CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration,DC=<YourDomain>, DC=<com>.
• Right-click on CN=Default Query Policy and select Properties.
• Look for the maxResultSetSize attribute and modify its value accordingly.

If your application is configured to connect to any DC in your environment, it is advisable to increase the MaxResultSetSize on all Domain Controllers to ensure consistency across your environment.

I hope the information above is helpful.

Best Regards,

Yanhong Liu

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.