To turn on LDAP client tracing, follow these steps:
1. Create the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ldap\Tracing\<ProcessName>
"ProcessName" is the full name of the process that you want to trace, including its extension, for example "ldp.exe". Inside this key, you can place an optional value of type DWORD that is named "PID". If this optional value is set to a process ID, only the instance of the application with this process ID will be traced.
2. To start a tracing session, execute the following command:
logman create trace "ds_ds" -ow -o c:\ds_ds.etl -p "Microsoft-Windows-LDAP-Client" 0x1a59afa3 0xff -nb 16 16 -bs 1024 -mode Circular -f bincirc -max 4096 -ets�
See the "traceFlags" reference below.
3. Now reproduce the behavior you wish to investigate.
4. To stop a tracing session, execute the following command:
logman stop "ds_ds" -ets�
To view the trace, you have several options:
1. Open the ETL file in Network Monitor 3.4 or newer. The log lines will show as payload data in the "frames". Using the Simple Text Search Expert you can search for object names to locate the LDAP transaction referencing key objects.
2. You can also use the�XPREF Viewer "XPERFVIEW" to show these log entries. When the ETL is loaded, select the time-interval to cover all events shown as squares. Right-click the selection and select "Summary Table". In the new window, expand the Task Name "0". The LDAP client activity will look like log lines already. The viewer does not allow to search or filter the events.
You can select Log lines and copy them to the clipboard and from there to a text editor to search and filter the log lines.
3. Another option to create text-based logs is to decode the ETL file as TXT:
netsh trace convert input=c:\ds_ds.etl output=LDAP_CLIENT-formatted.txt
See the 'NETSH trace convert' help for more output options.
The "traceflags" could be one of the following value or a combination of the bits
Windows Vista/Server 2008:
DEBUG_TRACE1 0x00000001�
DEBUG_TRACE2 0x00000002
Windows 7/Server 2008 R2 and most likely newer OS:
DEBUG_SEARCH�0x00000001�- Detailed tracking of read-style requests
DEBUG_WRITE 0x00000002��- Detailed tracking of write-style requests
The other flags are the same for both OS versions:
DEBUG_REFCNT 0x00000004
DEBUG_HEAP 0x00000008
DEBUG_CACHE 0x00000010
DEBUG_SSL 0x00000020
DEBUG_SPEWSEARCH 0x00000040
DEBUG_SERVERDOWN 0x00000080
DEBUG_CONNECT 0x00000100
DEBUG_RECONNECT 0x00000200
DEBUG_RECEIVEDATA 0x00000400
DEBUG_BYTES_SENT 0x00000800
DEBUG_EOM 0x00001000
DEBUG_BER 0x00002000
DEBUG_OUTMEMORY 0x00004000
DEBUG_CONTROLS 0x00008000
DEBUG_BYTES_RECEIVED 0x00010000
DEBUG_CLDAP 0x00020000
DEBUG_FILTER 0x00040000
DEBUG_BIND 0x00080000
DEBUG_NETWORK_ERRORS 0x00100000
DEBUG_SCRATCH 0x00200000
DEBUG_PARSE 0x00400000
DEBUG_REFERRALS 0x00800000
DEBUG_REQUEST 0x01000000
DEBUG_CONNECTION 0x02000000
DEBUG_INIT_TERM 0x04000000
DEBUG_API_ERRORS 0x08000000
DEBUG_ERRORS 0x10000000
A description�of the flag meaning can be found on:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa366152(v=vs.85).aspxSuggestions for flag combinations:
- Log settings that should get the information you need most of the time:�0x1A59AFA3.
- Get information on connection establishment problems: 0x18180380
- Verbose session information: 0x1bddbf73.