How to monitor active directory LDAP logs?

Written By Mukul Manikandan

If you're troubleshooting active directory and need to enable logging, follow these steps:

Enable LDAP auditing

Open Registry Editor. Go to HKEY_LOCAL_MACHINE → SYSTEM → CurrentControlSet → Services → NTDS → Diagnostics. Note: Set '15 Field Engineering' to '5'. This enables Expensive and Inefficient LDAP calls to be logged in Event Viewer.

View the logs

Unsecure LDAP binds

Go to Event Viewer → Filter Directory Service logs to locate the event ID 2889 (Windows Server 2003 to 2012)

Number of daily unsecure ldap binds

Go to Event Viewer → Filter Directory Service logs to locate the event ID 2887 (Windows Server 2003 to 2012)

Number of LDAP queries

Go to Event Viewer → Filter Directory Service logs to locate the event ID 1643 (Windows Server 2003 to 2012)

Recent LDAP queries

Go to Event Viewer → Filter Directory Service logs to locate the event ID 1644 (Windows Server 2003 to 2012)

Error from the LDAP server

Go to Event Viewer → Filter Directory Service logs to locate the event ID 1535 (Windows Server 2003 to 2012)

Time-out LDAP connection

Go to Event Viewer → Filter Directory Service logs to locate the event ID 1317 (Windows Server 2003 to 2012)

And that’s all for this blog post! Hope this information helps you! ☺️

Mukul Manikandan
Previous

How to troubleshoot LDAP authentication issues using ldp.exe
Next

How to resolve FATAL: Peer authentication failed for user “postgres”