RE: [ActiveDir] LDAP performance

[Eric Fleischman]

Title: LDAP performance

The one that comes on the XP CD. :)   C:\>netstat -o   Active Connections     Proto  Local Address          Foreign Address        State           PID   TCP    ericslaptop:2832        someServer:1025  ESTABLISHED     4056   TCP    ericslaptop:2843        anotherServer:1025  ESTABLISHED     4056       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, June 14, 2005 10:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP performance   Not on any of my versions of netstat, boss. Which version do YOU have? :-)   Windows Server 2003 sp1   C:\>filever c:\windows\system32\netstat.exe ----- W32i   APP ENU   5.2.3790.1830 shp     35,840 03-24-2005 netstat.exe Windows Server 2003 RTM   C:\>filever c:\windows\system32\netstat.exe ----- W32i   APP ENU      5.2.3790.0 shp     31,744 03-25-2003 netstat.exe Windows XP sp2   C:\>filever c:\windows\system32\netstat.exe ----- W32i   APP ENU   5.1.2600.2180 shp     36,864 08-04-2004 netstat.exe   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, June 14, 2005 1:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP performance Netstat -* will yield this info.     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, June 14, 2005 9:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP performance   Great article joe.  It definitely sounds like it could be relevant in our scenario.  On that note, do you know of any perf counter that can tell me how many active ports above 1024 are being used at any given time?   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, June 13, 2005 10:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP performance What errors specifically are the clients seeing? Is the server returning any extended information or are the connections just dying on the vine? And if so are you sure? As Eric indicated, running through a trace would probably be mucho helpful.   What type of client? If Windows, this KB may seem odd, but check out http://support.microsoft.com/?id=836429   What you are describing sounds like something I heard from another friend of mine doing some auth testing and the KB above ended up being what the issue was related to.     I am assuming they are most likely doing simple binds? If so, possibly the app developers may want to look at LDAP_OPT_FAST_CONCURRENT_BIND available in Windows Server 2003 AD which allows multiple binds over a single connection and should be faster overall. Read more here   http://msdn.microsoft.com/library/default.asp?url="">               From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Monday, June 13, 2005 7:55 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP performance We're running into what appears to be some performance issues.  We have several AD servers that we dedicate to doing LDAP authentications for various applications.  We recently added a new application that performs a large number of binds.  The day we cut the application over to AD LDAP the application owners began complaining that an average of 1 to 2 LDAP requests are being dropped every minute.  Here are the details: Application:  Issues an average of 100 binds per second.  Average of 50 queries per second using filter "(samaccountname=X)" and requesting the DN as the return. HW:  2 Domain Controllers.  Each is quad proc 2.4GHZ.  Each has 4GB of RAM with the 3GB switch set. I ran this through ADSizer and it recommended one server with about half the capacity that is built into each of these servers. I've run several performance checks on these machines and it appears that they are barely breaking a sweat in terms of available resources.  I've tweaked our default LDAP policies to add additional queries per proc and allowed larger buffers.  But the app owner is still complaining. The network team has recommended that I increase the TCP listening queue on the servers.  They suspect this because they are seeing a few syns that never get acked.  I'm not familiar with how to do this in Windows and am not sure if that is really something I should be concerned with.  Can anyone out there vouch for this theory?  Or perhaps offer another theory as to why the DCs seem to not keep up with the load? Thanks One other thing,  I set the LDAP diags to two and found the following warning poping up from time to time: ************************************************************************************************** Event Type:     Warning Event Source:   NTDS LDAP Event Category: LDAP Interface Event ID:       1216 Date:           6/13/2005 Time:           6:34:37 PM User:           N/A Computer:       ****************** Description: Internal event: An LDAP client connection was closed because of an error.   Client ID: 427107   Additional Data Error value: 995 The I/O operation has been aborted because of either a thread exit or an application request. Internal ID: c0602ec For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. **************************************************************************************************