Powershell script to check LDAP search timings on Domain Controllers

By | December 24, 2014

Another quick one to finish the year off.  Here’s a script that runs an LDAP query against all of the DCs in the forest and reports back the time it has taken for each.  The intention is to identify any DCs that are responding slowly for some reason.  In the example below, I’ve chosen to run my query against the schema partition as this will be consistent across all DCs in the forest, regardless of domain.  If you have a single domain forest, you might want to change this for a really inefficient query against something in the domain partition.

The script uses WinRM to query each DC directly.  I did it that way to remove network latency as an influence on the response timings.  If you don’t have all Windows Server 2012 (or later) DCs then you will need to explicitly enable WinRM to allow the script to talk to the DCs.

 

#########################################################
#
# Name: Get-LDAPSearchTimings.ps1
# Author: Tony Murray
# Version: 1.0
# Date: 29/11/2014
# Comment: PowerShell script to
# obtain LDAP search times from all DCs in the forest
#
#########################################################

Import-Module ActiveDirectory # Imports the AD module (if required)

$domains = (Get-ADForest).domains
$dcs = @()
foreach ($domain in $domains){
    [string]$ddc = (Get-ADDomainController -DomainName $domain -Discover).hostname
    $ddcs = Get-ADDomainController -Filter * -Server $ddc
    foreach ($srv in $ddcs) {
       $name = $srv.hostname
       $dcs += $name
    } # end foreach
} # end foreach

foreach ($DC in $DCs) {
    $sc = {
        ipmo ActiveDirectory
        $sb = (Get-ADRootDSE).schemaNamingContext
        #$sb = (Get-ADRootDSE).DefaultNamingContext
        $fl = "(adminDescription=*name*)"
        #$fl = "(title=*manager*)"
        $ex = {Get-ADObject -LDAPFilter $fl -searchbase $sb -server localhost}
        (Measure-Command -Ex $ex).TotalSeconds
    } # end script block
    $mc = Invoke-Command -ComputerName $DC -ScriptBlock $sc
    write-host "Search took $mc seconds on $DC in AD Site $((get-addomaincontroller $dc -server $dc).site)"
} # end foreach

 

The output should look something like this:

get-ldapsearchtimings

One thought on “Powershell script to check LDAP search timings on Domain Controllers

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.