ldap trouble shooting
Hi all. I am looking for some tips on analyzing or tracing vast amounts of LDAP traffic on our DCs. I realise this is a general type question and there is no one specific one right answer buts its high level advise I'm looking for.
For example. I have downloaded a list of common LDAP log-entry responses so i can view logs and understand what the entries mean but i don't know if the amount of entries coming through are normal, and i know that you won't know either because i guess it is very based on environment. The type of advise I'm looking for confirmation on such as:
1. Can i in theory reduce the LDAP quires on certain DCs by removing application partitions from DCs belonging to sites that the application isn't used from? I believe the install of certain apps were blatted across all DCs without prior investigation. I don't know if i can remove certain application partitions from individual DCs without removing all of the partitions and of course causing me a major head ache and breaking the app.
2. Any idea on where to start on looking at applications doing LDAP quires in general, for instance we use Iron ports with LDAP lookup for authorisation to get to internet. But if i go to internet and get authorised why am i seeing a ton of subsequent requests for me each time i go to internet, surely i have authenticated once. I guess the question here is this - is LDAP queries 3rd party specific, so could be just bad coding, I'm wondering of somehow the Iron port isn't caching the response, or looses the connection (again, just some view points).
3. Ant tips on using Network Monitor to analyse LDAP traffic?
So like i said, these are environment specific. I am not looking for a magic bullet one response suits all. Just some general guidance on trouble shooting LADP quires.
Thank you for reading.
JT
For example. I have downloaded a list of common LDAP log-entry responses so i can view logs and understand what the entries mean but i don't know if the amount of entries coming through are normal, and i know that you won't know either because i guess it is very based on environment. The type of advise I'm looking for confirmation on such as:
1. Can i in theory reduce the LDAP quires on certain DCs by removing application partitions from DCs belonging to sites that the application isn't used from? I believe the install of certain apps were blatted across all DCs without prior investigation. I don't know if i can remove certain application partitions from individual DCs without removing all of the partitions and of course causing me a major head ache and breaking the app.
2. Any idea on where to start on looking at applications doing LDAP quires in general, for instance we use Iron ports with LDAP lookup for authorisation to get to internet. But if i go to internet and get authorised why am i seeing a ton of subsequent requests for me each time i go to internet, surely i have authenticated once. I guess the question here is this - is LDAP queries 3rd party specific, so could be just bad coding, I'm wondering of somehow the Iron port isn't caching the response, or looses the connection (again, just some view points).
3. Ant tips on using Network Monitor to analyse LDAP traffic?
So like i said, these are environment specific. I am not looking for a magic bullet one response suits all. Just some general guidance on trouble shooting LADP quires.
Thank you for reading.
JT
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi all. Can anyone suggest any answers to my last entry please?
1. DC in SITE will return own address as first looking for full domain (You can use IPs too)
2. referrals are described in LDAP RFC. it is one bing search ahead (try 'AD global catalog port number)
3. You need to get more familiar with how LDAP (or TCP sockets for that sake) works.
2. referrals are described in LDAP RFC. it is one bing search ahead (try 'AD global catalog port number)
3. You need to get more familiar with how LDAP (or TCP sockets for that sake) works.
ASKER
2nd response didn't add any value.
indeed it was meant to.
ASKER
Response to 1. So it is possible that some 3rd party do not understand AD sites. Is this why we populate that part of the application with the LDAP CN? where does it resolve this from, from which DNS SRV record?
Response to 2. You are suggesting using LDAP query on the default port 389 and LDAP response on a different port number then? Also, I'm not sure what you mean by "rest of referral chasing is done between DCs". If my Iron port app targets the LDAP CN, does this mean that the query could be being bounced around different DCs in the site? Would this happen if the query hit DC 1, but DC 1 did not have the application partition and hence the referral. Have i understood this correctly?
Response to 3. So look at netmon from a DC that does not have the application partition to see what it does with the query\ where it sends it to? Once last point, why would you send queries to the GC in particular?
Appreciate your help i really do
Thank you
JT