Enable Field Engineering - HKEY_LOCAL_MACHINE → SYSTEM → CurrentControlSet → Services → NTDS → Diagnostics. Set '15 Field Engineering' to '5'
Event ID 1643: No. of LDAP searches.
event ID 2889: unsecure ldap bind
event ID 2887: daily unsecure ldap binds
event ID 1644: recent ldap query
event ID 1535: error from ldap server
event ID 1317: ldap timeout
HKEY_LOCAL_MACHINE → SYSTEM → CurrentControlSet → Services → NTDS → Parameters
Inefficient Search Results Threshold, REG_DWORD - default 1000 - how many entries should be returned to treat is like inefficient,
Expensive Search Results Threshold, REG_DWORD - default 10000 - like inefficients
Search Time Threshold (msecs), REG_DWORD - default 30000 - how long query must take to be stored in event log as 1644 event id
