Sometimes, the Active Directory response times for specific LDAP queries are pretty high. To find slow LDAP queries, you can set the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Diagnostics\15 Field Engineering to 5 on your machine hosting the Active Directory.

To only collect queries which are above a defined threshold, you can set the registry keys

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Expensive Search Results Threshold
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Inefficient Search Results Threshold
  • and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Search Time Threshold

to a threshold measured in milliseconds.

After that, your Directory Services event log contains the 1644 events. You can download the Event 1644 Reader script from GitHub. It allows you to extract all collected events.

Fore more information, see this blog article from Microsoft.