I recently had a requirement to view the LDAP Queries that Exchange 2010 was running against a 2008 Active Directory Server when a Service Starts.
When the LDAP queries are sent to the Active Directory Server they are encrypted meaning that tools like Wireshark and Network Monitor can’t be used.
In researching into how I could monitor these queries on Server 2008 I came across this blog post. Which describes how to use the Reliability and Performance Monitor (RPM) to monitor Active Directory which includes the LDAP queries.
The results are captured in a file called “Active Directory.etl” and stored in subfolders under “c:\perflogs\ADDS”. When the Capture is stopped, RPM generates a report which contains an analysis of the captured data, including the top 25 LDAP queries.
The top 25 LDAP queries appear to be the most CPU intensive queries, this may be useful for some people but of little use if you are wanting to view all of the LDAP queries.
Luckily all is not lost all of the queries are stored within the Active Directory.etl filet. Looking into how I could extract information from this file, I found this post. The only slight difference is that I needed to use the –lr flag in order to extract the LDAP queries. The full command is:
tracerpt -lr "Active Directory.etl""
This produces an XML file called dumpfile.xml and contains all of the captured LDAP queries, unfortunately it does not store the results of the queries.