Link to home
Start Free TrialLog in
Avatar of Carl Billington
Carl BillingtonFlag for Australia

asked on

Find / List LDAP / connections to Windows 2003 Domain Controller

My goal is to retire our old Windows 2003 DC however, we have a large number of network devices that could be communicating with this server.
So rather than switching it off and figuring out what has broken, can someone please tell me the best way to find all connections being made to the old DC? Presumably these would be just LDAP connections. I am not interested in DNS queries.
Thanks for your help.
Avatar of Amit
Flag of India image

That's bit complicated task. First, what I do, I change the Weight and Priority of a Domain Controller. This way, Stop user or member server to use it as first hop. Though it is available, however it will work only, if all other DC's are down.

How to do it:


Next, I enable netlogon logging after applying above settings. Then review the logs for any traffic. If you still see traffic, 99% someone have hardcoded the DC IP or Name. Just run below cmd

nltest /dbflag:0x2080ffff

If you still want to drill down more, we can use perfmon to dissect the traffic to DC. Here is one article, I used to decom one of my domain.

note: try to keep .etl size small. else it won't open with excel.

Let me know, if that helps.
Avatar of Dirk Kotte
Dirk Kotte
Flag of Germany image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of btan

the tracking of ldap can be done (normally) by Server Performance Advisor (SPA) for Windows 2003 or Data Collector sets
Specifically, set performance counter on the server, run the collection and check the report for ldap queries
But do note, such log can grows very fast for heavily used AD with a 5 minute trace grew ~100MB so maybe consider at max 15 min and monitor the log folder location does not hit the CPU to hard. See example,
LDAP requests. There's one more anomaly-we should investigate. In the Summary section of Figure 1, if you click the Top Client hotlink, SPA displays the Clients with the Most CPU Usage subsection of the LDAP Request section of the report. Sure enough, the client at is the prime offender.

When you expand the entry for that IP address, SPA displays a summary of the operations the client performed and the percentage of CPU resources each operation consumed

Or a tool from sysinternals for LDAP real-time monitoring tool such as ADInsight
real-time monitoring tool aimed at troubleshooting Active Directory client applications. Use its detailed tracing of Active Directory client-server communications to solve Windows authentication, Exchange, DNS, and other problems.

Avatar of Carl Billington


Exactly as described.