How to use Event1644Reader.ps1 to analyze LDAP query performance in Windows Server

Applies to: Windows Server 2012 R2 DatacenterWindows Server 2012 R2 StandardWindows Server 2012 R2 Essentials More

This article describes a script that helps analyze Active Directory event ID 1644 in Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008. Review the steps to use the script and then analyze your problems.

About the Event1644Reader.ps1 script

Active Directory event ID 1644 is logged in the Directory Service event log. This event identifies expensive, inefficient, or slow Lightweight Directory Access Protocol (LDAP) searches that are serviced by Active Directory domain controllers. NTDS General event ID 1644 can be filtered to record LDAP searches in the Directory Services event log based on the number of objects in the Active Directory database that were visited, the number of objects that were returned, or the LDAP search execution time on the domain controller. For more information about event ID 1644, see Hotfix 2800945 adds performance data to Active Directory event log.

Event1644Reader.ps1 is a Windows PowerShell script that extracts data from 1644 events that are hosted in saved Directory Service event logs. Then, it imports that data into a series of pivot tables in a Microsoft Excel spreadsheet to help administrators gain insights about the LDAP workloads that are being serviced by the domain controllers and clients that are generating those queries.

How to obtain the script

You can obtain the script from the Microsoft Script Center.

Script Center disclaimer
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

Online peer support
For online peer support, join The Official Scripting Guys Forum! To provide feedback or report bugs in sample scripts, please start a new discussion on the Discussions tab for this script.

How to use the script

To better analyze the LDAP queries that are captured in event ID 1644, follow these steps:
  1. Make sure that the domain controllers that you are troubleshooting capture enhanced1644 event metadata.

    Note Windows Server 2012 R2 added enhanced 1644 event logging by recording the duration of LDAP queries and other metadata. The enhanced 1644 event logging was backported to Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008 by hotfix 2800945.
  2. Set the value of the following Field Engineering registry entry to 5:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics\Field Engineering
    Note Setting field engineering log verbosity to 5 will cause other events to be logged in the directory service event log. Reset field engineering back to its default value of 0 when you are not actively collecting 1644 events. (This action does not require a restart.)
  3. If the following registry entries exist, change the values to the desired threshold in milliseconds. If a particular registry entry does not exist, create a new entry with that name, and then set its value to the desired threshold in milliseconds.
    Registry pathData typeDefault value
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Search Time Threshold (msecs)DWORD30,000
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Expensive Search Results ThresholdDWORD10,000
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Inefficient Search Results ThresholdDWORD1,000
    • When the Field Engineering logging level is enabled and the Search Time Threshold (msecs) registry entry is not used or is set to 0, the default value of the time threshold is 30,000 milliseconds. (This action does not require a restart.)
    • One strategy would be to set the registry value for both the Inefficient Search Results Threshold and Expensive Search Results Threshold registry settings, and then focus on events that are identified by Search Time hold (msecs). Start with a larger value like 100 milliseconds and then incrementally decrease the value as you optimize the queries that are occurring in your environment.
    • Event1644Reader.ps1 can parse events from multiple domain controllers. Configure the field engineering, search time, expensive, and inefficient registry key settings on all domain controllers on which you want to review LDAP searches.

  4. Download the Event1644Reader.ps1 file from Microsoft Script Centerto the computer that will analyze saved Active Directory Service EVTX files that contain 1644 events.

    This computer should have Microsoft Excel 2010 or a later version installed and should have sufficient disk space to host the directory service event logs that the script will parse.
  5. Copy saved Directory Service event logs that contain 1644 events from the domain controllers where you enabled 1644 event logging to the 1644 analysis computer.
  6. In Windows Explorer, right-click the Event1644Reader.ps1 file,and then select Run with PowerShell.
    The following is the screen shot for this step:
    The screen shot of this step.
  7. Press Y to bypass PowerShell Execution Policy as required.
  8. Specify the path of the EVTX files to be parsed.
  9. When you see the prompt as the following screen shot, take the following actions:
    The screen shot of PowerShell.
    • Press Enter to parse all EVTX files that are located in the same directory as the Enent1644Reader.ps1 file.
    • Type the drive:\path path that contains the EVTX files to be parsed.

    Note Event1644Reader.ps1 parses 1644 events in all up-level directory service event logs that are located in the targeted path every time that the script runs.
  10. Open the worksheet to review data and walk through the series of tabs, and then save the Excel spreadsheet as required. For more information about the tabs in the worksheet, see the "Walkthrough of the Excel spreadsheet created by 1644Reder.ps1" section.
Note *.csv files that are built by the tool are not automatically removed. Consider purging *.csv files after your investigation is complete.

More Information

For more information about LDAP queries, see the following blog: