Hi Alan, How would you define "intensive"? I've not seen any way to do query-based user-specific rate-limiting in AD. The closest thing is the LDAP query policy, but that is probably not what you were looking for (Q315071). Object quotas are new as of .NET AD, but only apply to limiting the number of objects created, not queried.
We've encountered this issue quite frequently as well. A lot of vendors tend to prefer sucking out data from AD and storing it locally in a DB as opposed to doing real-time queries. And even though there are a few different ways to track changes in AD (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/ overview_of_change_tracking_techniques.asp), each method has issues and most find it easier to just do periodic dumps. Another issue on this front is simply identifying when clients are performing these intensive queries. We do real-time monitoring on the LDAP and DS counters in the NTDS perfmon object and alert when they reach certain thresholds (I can provide the thresholds if people are interested). In some cases we've had to resort to running netmon for extended periods of time to track down the offender. What I'd really like to see is a log of all LDAP queries and parameters, client IP, query duration, and number of entries returned. Most other directory servers have this capability and it is extremely helpful especially post-incident. The "LDAP Interface Events" diagnostics logging (Q220940) provides some of this data, but not all. Here is an example event: Event Type: Information Event Source: NTDS LDAP Event Category: LDAP Interface Event ID: 1139 Date: 12/8/2002 Time: 6:29:38 AM User: AD-VM\administrator Computer: AD-01 Description: Internal event: Function ldap_search completed with an elapsed time of 20 ms. And of course you can always deny certain clients from querying AD by setting the IP Deny List (via ntdsutil), but I doubt that is what you had in mind. Robbie Allen > -----Original Message----- > From: Isham, Alan A [mailto:[EMAIL PROTECTED]] > Sent: Friday, December 06, 2002 4:00 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] CSVDE/ADSI queries causing mini denial > of service attacks > > > Background: In recent months, we have discovered (reactively) a number > of customers who are content dumping the entire Workers OU (70,000+ > objects) at pretty frequent intervals, which is causing mini denial of > service attacks on our domain controllers in small pipe locations. > > Has anyone limited access to their production Windows 2000 Active > Directory forests to prevent users from running intensive CSVDE/ADSI > queries against their domain controllers? If so, how? Through > technology? Through policy? Both? > > -- > Alan A. Isham, IT Product Manager > Messaging and Active Directory Engineering > Intel Corporation > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
