How can I verify LDAP client usesage prior to decommisioning a server?

Home Forums Microsoft Networking and Management Services Active Directory How can I verify LDAP client usesage prior to decommisioning a server?

This topic contains 16 replies, has 6 voices, and was last updated by Avatar dbutch1976 9 years, 12 months ago.

Viewing 17 posts - 1 through 17 (of 17 total)
  • Author
    Posts
  • Avatar
    dbutch1976
    Member
    #144719

    Hello,

    I have been tasked with decommissioning numerous 2003 AD servers now that our new 2008 infrastructure is up and running. I need to confirm that not clients have manually configured indivual DC’s for LDAP queries. How can I determine if clients are making LDAP queries against a particular box?

    One solution I have been kicking around is to perform an LDAP query from my local machine and then seeing what is logged in event viewer, then looking for similar logs. Is there any way I can make such queries?

    I assumed that using AD Users and Computers to connect to a particular server should register some kind of event while I viewing AD, but I can’t see any events being created.

    Thanks.

    Avatar
    dbutch1976
    Member
    #365303

    Re: How can I verify LDAP client usesage prior to decommisioning a server?

    Any other ideas? Maybe it’d be worthwhile monitoring the servers ports in order to verify that no other services are being used… Can anyone recommend some good port monitoring software that would assist with this task?

    Avatar
    joeqwerty
    Moderator
    #302863

    Re: How can I verify LDAP client usesage prior to decommisioning a server?

    Sounds like you’re making it too complicated. How would a client (user) manually configure LDAP communications? Do you think that the users have the knowledge and skill to do that? My suggestion would be to shut down the 2003 servers for a week and wait for any support calls that come in and then address them.

    Avatar
    dbutch1976
    Member
    #365304

    Re: How can I verify LDAP client usesage prior to decommisioning a server?

    joeqwerty;182189 wrote:
    Sounds like you’re making it too complicated. How would a client (user) manually configure LDAP communications? Do you think that the users have the knowledge and skill to do that? My suggestion would be to shut down the 2003 servers for a week and wait for any support calls that come in and then address them.

    I fully agree actually. The concern is that there is an LDAP depandant software app somewhere out on my network (which is a fairly large enterprise) that is using one of these boxes, but to be honest this concern is secondary.

    What I would really like to do is an audit of all services and all connnections that are being made to the server, thereby ensuring there are no obvious required services prior to turning it off, just a cursory glance really to hopefully avoid someone shouting that I should have known before I turn it off.

    No matter what I doubt I’ll be able to be 100% sure and I’m going to just have to turn the box off and see what happens at some point, but I’d like to at least be fairly certain first.

    Avatar
    stamandster
    Member
    #280343

    Re: How can I verify LDAP client usesage prior to decommisioning a server?

    You could always use the netstat command to see ip:port connections to your server.

    Just to be aware, if it’s a DC it’s going to be authenticated to. If you have multiple DC’s in a subnet/site they all really do get used at one point or another. If it’s just a DC then you really don’t have anything more to worry about than AD and DNS being on it, and possibly DHCP.

    As long as all your DNS configurations are pointed to the new server I don’t think you have much to worry about. And if there’s a piece of software that needs a specific domain controller then that really should have been documented when it was deployed.

    Also, don’t just turn the box off. DCPromo it out of the domain cleanly.

    Avatar
    dbutch1976
    Member
    #365305

    Re: How can I verify LDAP client usesage prior to decommisioning a server?

    stamandster;182250 wrote:
    Also, don’t just turn the box off. DCPromo it out of the domain cleanly.

    Would you recommend turning it off for a week or so prior to running the DCPROMO just to make triple sure nobody’s connecting into it or is it better to DCPROMO a decommsioned DC immediately?

    #344098

    Re: How can I verify LDAP client usesage prior to decommisioning a server?

    Turn it off for a couple of days to be sure.

    Avatar
    dbutch1976
    Member
    #365306

    Re: How can I verify LDAP client usesage prior to decommisioning a server?

    gforceindustries;182544 wrote:
    Turn it off for a couple of days to be sure.

    Cool, thanks for all the advice so far. One last question. Does anyone have any experience using wireshark to capture LDAP traffic? I’d like to analyse some of the packets coming through and check the sources but I’ve never used the product previously, any tips would be appreciated.

    Avatar
    dbutch1976
    Member
    #365307

    Re: How can I verify LDAP client usesage prior to decommisioning a server?

    stamandster;182250 wrote:
    Just to be aware, if it’s a DC it’s going to be authenticated to. If you have multiple DC’s in a subnet/site they all really do get used at one point or another. If it’s just a DC then you really don’t have anything more to worry about than AD and DNS being on it, and possibly DHCP.

    I have a question about this point. Since the serve’s are being decommisioned and numerious clients are statically configured to use them for DNS I will need to manually go to each client with a static configuration and change it to point to the new server.

    However… Wouldn’t it be much much easier just to add the static DNS IP address as a secondary IP address on one of the new 2008 servers? Wouldn’t that immediately redirect all DNS requests to the new box and save me having to go to each client and making manual changes?

    Avatar
    ScottMcD
    Member
    #352800

    Re: How can I verify LDAP client usesage prior to decommisioning a server?

    You should be able to use perfmon to monitor LDAP reads and writes. It’s under NTDS.

    Avatar
    joeqwerty
    Moderator
    #302887

    Re: How can I verify LDAP client usesage prior to decommisioning a server?

    dbutch1976;182957 wrote:
    I have a question about this point. Since the serve’s are being decommisioned and numerious clients are statically configured to use them for DNS I will need to manually go to each client with a static configuration and change it to point to the new server.

    However… Wouldn’t it be much much easier just to add the static DNS IP address as a secondary IP address on one of the new 2008 servers? Wouldn’t that immediately redirect all DNS requests to the new box and save me having to go to each client and making manual changes?

    The preferred solution would be to use DHCP to allocate ip addresses to the client machines and define the DNS servers in your DHCP scope.

    Avatar
    dbutch1976
    Member
    #365308

    Re: How can I verify LDAP client usesage prior to decommisioning a server?

    joeqwerty;182977 wrote:
    The preferred solution would be to use DHCP to allocate ip addresses to the client machines and define the DNS servers in your DHCP scope.

    To my knowledge this is how the vast majority of machines are configured within the network, but undoubtedly we’re going to miss a couple of static configs. I guess there’s not much that can be done about that.

    Avatar
    stamandster
    Member
    #280359

    Re: How can I verify LDAP client usesage prior to decommisioning a server?

    dbutch1976;183551 wrote:
    To my knowledge this is how the vast majority of machines are configured within the network, but undoubtedly we’re going to miss a couple of static configs. I guess there’s not much that can be done about that.

    Yeah not really. That’s why it’s so important to document everything. We just had to go through this in a way. I ended up going through and finding all the statically assigned addresses and documenting them. I ended up assigning the static addresses through DHCP by MAC address.

    Avatar
    dbutch1976
    Member
    #365309

    Re: How can I verify LDAP client usesage prior to decommisioning a server?

    ScottMcD;182969 wrote:
    You should be able to use perfmon to monitor LDAP reads and writes. It’s under NTDS.

    I’ve found the counters you were mentioning nad added every LDAP related counter to the list. Most of the counters flatline at 0, however one counter is of interest to me:

    LDAP Client Sessions < — This counter remains constant at 4 connections

    ** Does this mean that that there are 4 persistent LDAP connections to this server? :confused: If so, that would be ideal because I would just need to identify who is connecting into it and bam I could arrange the client to point to another server.

    Could you clarify what the about counters are saying?
    The MS explaination is: LDAP Client Sessions is the number of connected LDAP client sessions – However this does not mention if the connections are persistent.

    Thanks! :)

    Avatar
    guyt
    Member
    #193973

    Re: How can I verify LDAP client usesage prior to decommisioning a server?

    dbutch1976;182957 wrote:
    However… Wouldn’t it be much much easier just to add the static DNS IP address as a secondary IP address on one of the new 2008 servers? Wouldn’t that immediately redirect all DNS requests to the new box and save me having to go to each client and making manual changes?

    This will break authentication for LDAP clients that are using Kerberos authentication and have hard-coded DNS name of the DC

    Avatar
    guyt
    Member
    #193974

    Re: How can I verify LDAP client usesage prior to decommisioning a server?

    You can enable LDAP query logging and analyze the logs:
    http://www.activedir.org/Articles/tabid/54/articleType/ArticleView/articleId/41/Default.aspx

    Avatar
    dbutch1976
    Member
    #365310

    Re: How can I verify LDAP client usesage prior to decommisioning a server?

    guyt;183692 wrote:

    Thanks to all for the help. Can I get some input on the audting plan below?

    Auditing 2003 Domain Controllers for the presence of LDAP enabled applications

    Source Documents:
    http://www.activedir.org/Articles/tabid/54/articleType/ArticleView/articleId/41/Default.aspx – How to configure logging
    http://books.google.ca/books?id=p-yw7g2R-4kC&pg=RA2-PA640&lpg=RA2-PA640&dq=event+id+1643&source=bl&ots=9_xXHVxDJe&sig=mc5IK-s36Z3hRUQwcT8zgzUlRaM&hl=en&ei=rGrcSu6rKYqXlAe34MyhAQ&sa=X&oi=book_result&ct=result&resnum=3&ved=0CA8Q6AEwAg#v=onepage&q=event%20id%201643&f=false – Info regarding returned events
    First Phase – Configure auditing
    1. Enable auditing of inefficient LDAP queries. Set HKLMSYSTEMCurrentControlSetServicesNTDSDiagnostics15 Field Engineering to 4
    2. Configure the following counters in Perfmon:
    NTDS DS Threads in Use
    Indicates the current number of threads in use by the directory service.
    This counter should show activity over time. If it does not, it usually indicates that network problems are hindering client requests.
    NTDS LDAP Client Sessions
    Indicates the number of sessions of connected LDAP clients.
    This counter should show activity over time. If it does not, it usually indicates that network-related problems are occurring.
    NTDS LDAP Searches/sec
    Indicates the number of search operations (per second) performed by LDAP clients.
    This counter should show activity over time. If it does not, it usually indicates that network problems are hindering client requests.
    NTDS LDAP Successful Binds/sec
    Indicates the number of LDAP bindings (per second) that occurred successfully.
    This counter should show activity over time. If it does not, it usually indicates that network-related problems are occurring.
    NTDS NTLM Authentications
    Indicates the number of NTLM authentications (per second) serviced by the domain controller.
    This counter should show activity over time. If it does not and the clients use Windows 98 or Windows NT, it usually indicates that network-related problems are occurring.
    LDAP Active Threads
    Shows the current number of threads in use by the LDAP subsystem of the local directory service.

    3. Wait for one day to allow the server to collect data.

    Second Phase – Review of Audit results
    1. Review Event logs for Event ID 1643. The summary logs should have 0 inefficient queries. If there are inefficient queries then modify the registry key in step 1 to 5 instead of 4. This will result in considerably more results and will require close monitoring. The results will be more detailed and will also include the name of the client initiating the LDAP query.
    2. Compare the counter logs against the performance baseline created in step 2. If the counters have captured a higher amount of traffic attempt to determine if this traffic flag this server for further investigation as the traffic may be being caused by an LDAP enabled application.

    Just let me know if those steps sounds concise. I know nothing’s perfect, but at least I’ll be able to show that I made reasonable effort to double check for LDAP apps.

Viewing 17 posts - 1 through 17 (of 17 total)

You must be logged in to reply to this topic.