AD DS or AD LDS responds slowly to LDAP query that has an undefined attribute and an OR clause in Windows

Applies to: Windows Server 2012 R2 DatacenterWindows Server 2012 R2 EssentialsWindows Server 2012 R2 Standard More

This article describes an issue that occurs when Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 Service Pack 1 (SP1)-based servers respond Lightweight Directory Access Protocol (LDAP) queries. A hotfix is available to resolve this issue. Before you install this hotfix, check out the Prerequisites section.

Symptoms


Assume that you have a Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 SP1-based computer that has the Active Directory Domain Services (AD DS) or the Active Directory Lightweight Directory Services (AD LDS) server role installed. The server receives complex LDAP queries that contains an undefined attribute and an OR clause. In this situation, the search performed by AD DS or AD LDS is slow.

Note This issue also occurs on Windows 8.1, Windows 8, or Windows 7 SP1-based computers that have the AD LDS component role installed.

If you have identified such a slow query in an event 1644 or an AD data collector set that you see an entry as follows:
Filter Name
(&(objectClass=computer) (objectCategory=Computer) ( | (cn=computer1) (<UNKNOWN>) ) )
Index
DNT_index:163530:N;
Status
0
Visited
1982116
Found
1
Requests/sec
0.0
Response Time(ms)
43182
CPU%
1.4

Significant fields:
  • Filter Name has a section of query in an OR-term reported as "<UNKNOWN>".
  • Index will describe a big index, also possible is idx_objectClass, idx_objectCategory, Ancestors_index, or similar.
  • The ratio of number of objects Visited to Found is bad.
  • The Response Time is high.
  • CPU% usage is high for expected complexity of the query.

You have to interrogate the client or create a network trace to see the actual filter details. You might obtain the actual query string from the Microsoft LDAP client ETW logging described in Event Tracing for LDAP in Windows Vista/2008.

You see a very similar report when you run the query that you find in a network trace or ETW log and includes STATS control.

Cause


This issue occurs because AD DS or AD LDS does not determine the index correctly in the LDAP query filter when it performs the search. Instead, the AD DS or the AD LDS uses a generic index, such as DNT_INDEX. This causes the search to visit much more objects than actually required.

Resolution


Hotfix information

Important Do not install a language pack after you install this hotfix. If you do, the language-specific changes in the hotfix will not be applied, and you will have to reinstall the hotfix. For more information, see Add language packs to Windows.

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix Download Available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website: Note The "Hotfix Download Available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.


Prerequisites

To apply this hotfix, you must have update 2919355 installed in Windows 8.1 or Windows Server 2012 R2. Or, install Service Pack 1 for Windows 7 or Windows Server 2008 R2.

Registry information

To use the hotfix in this package, you do not have to make any changes to the registry.

Restart requirement

You may have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References


See the terminology that Microsoft uses to describe software updates.

For the usage of the STATS control, see the Creating More Efficient Microsoft Active Directory-Enabled Applications.