Tracking all LDAP activity on a specific DC is not trivial to achieve with the native toolset. I recently posted an article over at ActiveDir.org that showed how to log all LDAP activity by enabling diagnostic logging and tweaking the inefficient and expensive LDAP search thresholds. The article is available here:
http://www.activedir.org/article.aspx?aid=97
The problem with the approach shown in that article is its inability to help with LDAP failures. For example, the information logged will not show LDAP failures due to protocol errors.
When troubleshooting an application that is exhibiting LDAP problems another alternative is to trace the activity at the network level using tools such as Ethereal or Microsoft's NetMon. The information available with tracing is certainly detailed, but troubleshooting problems can be a little like finding a needle in a haystack, especially if the data is encrypted over an SSL connection. You could also look at command line tools such as LogMan and TraceRpt.
Last year Microsoft published version 2.0 of the Server Performance Advisor (http://www.microsoft.com/downloads/details.aspx?FamilyID=09115420-8c9d-46b9-a9a5-9bffcd237da2&DisplayLang=en). The main function of the tool is performance diagnostics and it has the ability to provide specialised reports, including a System Overview and reports for server roles such as Active Directory, Internet Information System (IIS), DNS, Terminal Services, SQL, print spooler, and others. I recently started looking at the tool to see what its capabilities were in regard to Active Directory. What I've seen so far has been very impressive. I've only scratched the surface of the capabilities of the tool and already it's paying dividends. Perhaps the most useful feature I've found so far is the ability to trace LDAP activity, as described in the remainder of this article.
Once you have downloaded and installed the tool on the target Domain Controller, start it up and enable the Scope Tree view as shown below.
Expand the Tree to show the Data Collectors and Reports item. Right-click Active Directory and select Properties, as shown below.
In the Properties window change the Expert Level in the Reports section to 10. This is the maximum value and ensures that the diagnostic reports show the maximum amount of detail. This is an important step - without it you will not be able to see the required level of LDAP activity in the report. [Thanks are due here to Steve Linehan at Microsoft for giving me this tip - thanks Steve 
]
At this point you are ready to start recording activity on the local DC. To do this highlight Active Directory in the Tree view and click the green arrow in the top left hand corner (F9 will also work). You will see a progress bar appear at the bottom of the SPA window. The default recording time is 500 seconds, but you can change this on the Schedule tab of the Active Directory properties (in Tree view).
At this point you should run your LDAP searches against the DC. Note that the amount of information being gathered is large and will itself generate a performance impact on the system.
When the recording has completed SPA will automatically generate a report. This can take some time, during which you will see the following text in the notification area. Again, the CPU overhead for the data analysis is high, so you might consider running the reports on another machine (SPA supports running the data analyser on a separate machine, but the data collection must be done locally).
When the reprot has been generated, navigate to the Current report in the Tree view.
As you can see there is a significant amount of information to browse through, as can be seen in the list of Active Directory report options below.
Click on Unique Searches to go to the section of the report showing all LDAP searches. You should be able to see the search you issued during the recording by browsing through the full list of searches. Be aware that there might be a very large number of searches, especially on a production DC.
The level of detail for each search is impressive. You will see the requesting client (resolved name or IP address), the base DN, the search scope (deep = subtree), the search filter, the number of objects visited and returned...and a fair bit more.
I find the report format quite hard to navigate because of the amount of information generated. As an alternative you have the option to open the raw XML file (AD.XML) by opening the folder that contains the traces and reports.
If you open the XML file in Notepad (or editor of choice) you can easily find your LDAP search of interest. A sample extract from the AD.XML file is shown below.
<item level="1">
<data name="Client" note="Address 192.168.5.67">W2K3R2TPL</data>
<data name="Choice">deep</data>
<data name="ObjDn">DC=north,DC=com</data>
<data name="Filter">( A (objectClass=user) (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=north,DC=com) (sAMAccountName=a*) )</data>
<data name="Index">idx_objectCategory:7:N;</data>
<data name="DsSimpleStatus">Success</data>
<data name="ObjVisited">7</data>
<data name="ObjReturned">2</data>
<data name="requestRate">0.01</data>
<data name="responseTime">75</data>
<data name="cpu">0.00</data>
</item>
In this extract the information shows that the LDAP search was issued by a computer named W2K3R2TPL with an IP address of 192.168.5.67. The search base was DC=north,DC=com and it was a subtree search. The filter was (&(objectClass=user)(objectCategory=Person)(sAMAccountName=a*)). The search was successful, visiting 7 objects and returning 2 results. Also, it is clear that the DC was not overly taxed making the search as the cpu time didn't register above 0.00.
This example shows a normal, successful search, but the information captured could just as easily have flagged a problem, either with the success of the search, unusually high CPU time, high number of objects visited, etc.
The Server Performance Advisor (SPA) is capable of much more than tracking LDAP activity and it is certainly worth spending more time exploring the feature set. As a starting point I would recommend looking at MVP Gil Kirkpatrick's session on AD performance here:
http://www.netpro.com/community/medialibrary.cfm.
Tony
www.activedir.org