3

I'm working on planning a DC rebuild, and I'm trying to be as thorough as possible before demoting the old one. Is there any way to view all LDAP connections to a DC either by source IP or hostname?

Geoff
  • 57

1 Answers1

7

If you're trying to be as thorough as possible, keep in mind that LDAP is not the only service a domain controller offers. You could have a 100 Linux servers that are configured to use that domain controller as a DNS resolver, for example. (Or NTP time, etc.)

But to more directly answer your question, there are several techniques that you could employ with varying degrees of success to find clients who are performing LDAP binds against this domain controller.

  • The NTDS\LDAP Client Sessions performance counter. (The limitations of this are that this does not help you identify who is using LDAP, just that someone is. Also keep in mind that this counter will still show a few connections because a DC will maintain several LDAP connections even to itself.)
  • The Active Directory Diagnostics Data Collector Set. (It's also in perfmon and it is awesome.)
  • Network Monitor/Wireshark.
  • If you use Windows Firewall, then it has the ability to log all connections if you configure it to do so.
  • Change the value of the registry entry HKLM\SYSTEM\CurrentControlSet\services\NTDS\Diagnostics -> 15 Field Engineering to 5, and then set HKLM\SYSTEM\CurrentControlSet\services\NTDS\Parameters -> Expensive Search Results Threshold to 1. This "tricks" AD into thinking that literally every LDAP query is an "expensive" one, because a value of 1 means "if even 1 object is touched during this query, then consider it expensive." These events will be logged to the Directory Services log, and they include client IP addresses.

In the same vein as my first paragraph, also keep in mind that just because no one is binding to your LDAP server, doesn't even mean that no one is using LDAP! LDAP also has a UDP component, often referred to as cLDAP... connectionless LDAP, that operates on UDP 389. This does not count as a bind, however, Windows clients still use this during the domain controller locator process.

Ryan Ries
  • 56,311