Monitoring LDAP querries

Enable Field Engineering - HKEY_LOCAL_MACHINE → SYSTEM → CurrentControlSet → Services → NTDS → Diagnostics. Set '15 Field Engineering' to '5'

Event ID 1643: No. of LDAP searches.

event ID 2889: unsecure ldap bind

event ID 2887: daily unsecure ldap binds

event ID 1644: recent ldap query

event ID 1535: error from ldap server

event ID 1317: ldap timeout
HKEY_LOCAL_MACHINE → SYSTEM → CurrentControlSet → Services → NTDS → Parameters
Inefficient Search Results Threshold, REG_DWORD - default 1000 - how many entries should be returned to treat is like inefficient,
Expensive Search Results Threshold, REG_DWORD - default 10000 - like inefficients
Search Time Threshold (msecs), REG_DWORD - default 30000 - how long query must take to be stored in event log as 1644 event id