Active Directory Accesses Test

Exchange 2007/2010 uses the Active Directory directory service site topology to determine how messages are transported in the organization.

Exchange 2007/2010 is a site-aware application. Site-aware applications can determine their own Active Directory site membership and the Active Directory site membership of other servers by querying Active Directory. In Exchange 2007/2010, the Microsoft Exchange Active Directory Topology service is responsible for updating the site attribute of the Exchange server object. When an Exchange server role has to determine the Active Directory site membership of another Exchange server role, it can query Active Directory to retrieve the site name.

The Mailbox server role uses Active Directory site membership information to determine which Hub Transport servers are located in the same Active Directory site as the Mailbox servers. The Mailbox server submits messages for routing and transport to a Hub Transport server that has the same Active Directory site membership as the Mailbox server. The Hub Transport server performs recipient resolution and queries Active Directory to match an e-mail address to a recipient account. The recipient account information includes the fully qualified domain name (FQDN) of the user’s Mailbox server. The FQDN is used to determine the Active Directory site of the user's Mailbox server. The Hub Transport server delivers the message to Mailbox server within its same Active Directory site, or it relays the message to another Hub Transport server for delivery to a Mailbox server that is outside the Active Directory site. If there are no Hub Transport servers in the same Active Directory site as a Mailbox server, mail cannot flow to that Mailbox server.

For processing all the Active Directory queries that are required for the aforesaid transactions, the Mailbox server role once again uses site membership to determine which domain controllers and global catalog servers to use. The Mailbox server role then binds to the identified directory servers whenever it needs to read from or write to Active Directory.

Any slowdown therefore, in the communication between the Mailbox server role and the marked global catalog servers / domain controllers can significantly delay the identification of the Hub Transport server that the Mailbox server needs to interact with; this in turn can cause delays in message delivery/processing. This test periodically monitors the network connection between the mailbox server role and each identified domain controller, so that communication bottlenecks are swiftly identified and resolved.

Target of the test : A server configured with the Mailbox server role

Agent deploying the test : An internal agent

Outputs of the test : One set of results for every domain controller used by the Mailbox server being monitored.

Configurable parameters for the test
Parameters Description

Test Period

How often should the test be executed.

Host

Indicates the IP address of the Mailbox server.

Port

The port number of the Mailbox server. By default, this is 6001.
Measurements made by the test
Measurement Description Measurement Unit Interpretation

LDAP read calls

Indicates the number of Depth 0 read calls  per second that were made by the mailbox server role to this domain controller.

Calls/Sec

 

LDAP search calls

Indicates the number of LDAP Depth 1 or 2 search calls per second that were made by the mailbox server role to this domain controller.

Calls/Sec

 

LDAP searches timed out

Indicates the number of LDAP searches that timed out during the last minute on this domain controller.

Timeouts/min

A high value could indicate any of the following:

  • Loss of the network connection between the Mailbox server role and the Active Directory directory service domain controller
  • Non-availability of the domain controller
  • Critical issues with one/more Active Directory resources

To resolve this error, do one or more of the following:

  • Verify network connectivity between the Mailbox server and the domain controllers it uses.
  • Ensure that the domain controllers the Mailbox server uses are up and running.
  • Make sure that none of the Active Directory resource are experiencing performance issues

LDAP fatal errors

Indicates the number of LDAP errors that caused the Exchange Active Directory Provider to close the LDAP connection without marking the domain controller down during the last minute.

Errors/Min

Ideally, this value should be 0.

LDAP disconnects

Indicates the number of LDAP errors that caused Exchange Active Directory Provider to mark the domain controller down during the last minute.

Disconnects/Min

 

User search operations failed

Indicates the number of Exchange Active Directory Provider client's searches that failed on this domain controller during the last minute.

Failures/Min

 

Bind failures

Indicates the number of LDAP bind calls that failed during the last minute

Failures/Min

A large number of bind call failures is a cause for concern, as it can disrupt the execution of Active Directory queries.

Long running LDAP operations

Indicates the number of LDAP operations that the mailbox server performed on this domain controller that took longer than the specified threshold per minute. (Default threshold is 15 minutes.)

 

Operations/Min

A high value generally indicates performance problems on the said domain controller(s) or network congestion.

To resolve this, do one or more of the following:

  • Ensure that the quality of the network link between the Mailbox server and the domain controllers is good.
  • Ensure that the domain controller is not experiencing issues in internal operations. You can investigate CPU usage, as well as disk and memory bottlenecks, on your Active Directory directory service servers.
  • Consider using a dedicated Exchange server and a global catalog server for the expansion of dynamic distribution groups and large distribution groups.

LDAP pages retrieved

Indicates the number of additional pages retrieved from this domain controller per second.

Pages/sec

 

Outstanding requests to Active Directory

Indicates the number of currently pending LDAP operations to this domain controller.

Number

A high value of this measure or a steady increase in this value is indicative of the poor query processing capability of the domain controller, and would warrant further investigation.

LDAP read time

Indicates the average time (in ms) taken to send an LDAP read request to the specified domain controller and receive a response.

Msecs

A low value is desired for this measure. A high value or a value that increases consistently is indicative of a gradual slowdown in the domain controller.

LDAP search time

Indicates the average time (in ms) to send an LDAP search request and receive a response.

Msecs

High LDAP search latencies can be caused by high remote procedure call (RPC) latencies and by increasing queues. High LDAP search latencies generally indicate one of the following problems:

  • Performance problem with the network connection to the domain controller.
  • Performance problems with the domain controller itself.

To reduce the time it takes for LDAP searches, do one or more of the following:

  • Ensure that the network performance between the Mailbox server and the domain controllers it uses is not the bottleneck.
  • Monitor the Searches/sec performance counter to see if there is an unexpected surge in the number of searches the Mailbox server is requesting from the Active Directory directory service.
  • Ensure that this domain controller is not experiencing performance problems. You can investigate CPU usage, as well as disk and memory bottlenecks, on your Active Directory servers.