AD DS or AD LDS responds slowly to complex LDAP query that has a deeply nested filter on a Windows server

Applies to: Windows Server 2012 R2 EssentialsWindows Server 2012 R2 FoundationWindows Server 2012 R2 Datacenter

Symptoms


Assume that you have a Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 server that has the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. This server receives a complex LDAP query that has a deeply nested filter. In this situation, the search performed by AD DS or AD LDS is slow.

For instructions to collect the query processing details, refer to the links in the "More Information" section.

When you enable NTDS diagnostics event logging to have the "15 Field Engineering" value set to level 5, you may see events such as the following that report queries as inefficient:


When you run the problematic query by using the STATS control, you may receive a summary that resembles the following:

Elapsed Time: 3641 (ms)
Returned 1 entries of 5223 visited - (0.02%)
Used Filter:

Used Indices:
DNT_index:7470:N

Pages Referenced : 33578
Pages Read From Disk : 534
Pages Pre-read From Disk : 121
Pages Dirtied : 0
Pages Re-Dirtied : 0
Log Records Generated : 0
Log Record Bytes Generated: 0

The query is marked as inefficient based on the relation between objects visited and objects returned. The reason that it visits so many objects is that it does not use the best selection of indices.

Note This issue also occurs on Windows 8.1, Windows 8, and Windows 7 on computers that have the AD LDS server role installed.

Cause


This issue occurs because AD DS or AD LDS does not correctly use the defined indices in the LDAP query filter when it performs the search. Instead, it uses a generic index, such as DNT_INDEX.

Resolution


To resolve this issue in Windows 8.1 or Windows Server 2012 R2, install update rollup 2955164.

To resolve this issue in Windows 8, Windows Server 2012, Windows 7, or Windows Server 2008 R2, install the hotfix that is described in this article.



Important notes:
  • LDAP queries that reference attributes that are not defined in the AD schema may be serviced more slowly by AD DS or AD LDS servers that have the KB 2862304 fix installed or that run Windows Server 2012 R2.
  • Microsoft is aware of this issue, and we are working on an update to KB 2862304. More information will be posted to this article when the updated fix is available.
  • To work around this issue, use one of the following methods, as appropriate:

    • Change the queries to reference existing attributes.
    • Add currently undefined attributes to the AD schema.
    • Direct relevant LDAP queries to AD DS or AD LDS servers that do not have update 2862304 or hotfix 2862304 installed. This includes Windows Server 2012 R2 RTM DCs.

Update information for Windows 8.1 and Windows Server 2012 R2

For more information about how to obtain this update rollup package, click the following article number to view the article in the Microsoft Knowledge Base:
2955164 Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update rollup: May 2014

Hotfix information for Windows 8, Windows Server 2012, Windows 7, and Windows Server 2008 R2

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix Download Available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website: Note The "Hotfix Download Available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must be running one of the following operating systems:
  • Windows 8.1
  • Windows Server 2012 R2
  • Windows 8
  • Windows Server 2012
  • Windows 7 Service Pack 1 (SP1)
  • Windows Server 2008 R2 (SP1)
For more information about how to obtain a Windows 7 or Windows Server 2008 R2 service pack, click the following article number to view the article in the Microsoft Knowledge Base:
976932 Information about Service Pack 1 for Windows 7 and for Windows Server 2008 R2

Registry information

To apply this hotfix, you do not have to make any changes to the registry.

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information


For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

More Information


For more information about this issue, click the following article numbers to view the articles in the Microsoft Knowledge Base:
314980 How to configure Active Directory diagnostic event logging in Windows Server 2003 and in Windows 2000 Server
951581 LDAP queries are executed more slowly than expected in the AD or LDS/ADAM directory service and Event ID 1644 may be logged
For more information about the STATS control, see the following articles: