Continuously check LDAP connectivity to Domain Controllers ( LDAP Heartbeat Check)

Question

working on developing script which runs via schedule task ; whole purpose of it is to target few domain controllers and continuously(for every 2 sec) do a ldap query targeting that particular DC and dump the output to a csv find.Essentially, i am doing the below steps.

$root = [ADSI]"LDAP://CN=$TargetDCName,OU=Domain Controllers,DC=Fabricom,DC=com"
$search = [adsisearcher]$root
$Search.Filter = "(&(objectClass=computer))"
$Search.SearchScope = "base"
$Obj = $Search.Findone()
$Obj = $Obj.Path
$DateFormatted = Get-Date -uformat "%Y-%m-%d_%I-%M-%S-%p"
$Data = $DateFormatted + "," + $TargetDCName+ "," + "$Obj"
Add-Content -Path $Path -Value $Data

Now i am getting few doubts; 1.) Does what i am doing above make sense as LDAP connectivity check, since i am querying a DC using the same DC as a ROOT/Base.(Does the above code confirm that LDAP connectivity exists to that particular DC from any application which is correctly configured?)

2.) This question is regarding powershell , how to obtain LDAP error logs in powershell? I want to test it against a non existent or a DC which is shut down, what log event i should expect and how to capture it.

3.) Same as question 2, if DC is having replication issues, does it effect LDAP connectivity? what logs should be captured and how? Below are some of the replication errors , does any of these events cause issue to LDAP connectivity?

** -> (1256) The remote system is not available. For information about network troubleshooting, see Windows Help. ->(1722) The RPC server is unavailable. ->(8206) The directory service is busy. ->(8438) The directory service is too busy to complete the replication operation at this time.**

4.) How to Identify Latency of an LDAP query? Since this script runs on its own, is there a way to determine what time its took or measure its latency?

please do let me know if more information is required.

Answer 1

Does what i am doing above make sense as LDAP connectivity check

Running this every 2 seconds is overkill. It's too much. If you're going to do this, consider lengthening the interval to only checking once every 5 minutes or so. LDAP servers are not so prone to crashing that you need to check them every 2 seconds.

Does the above code confirm that LDAP connectivity exists to that particular DC from any application which is correctly configured?)

Yes it will test an LDAP connection. It is not the only way, and it may or may not be the best way, but it is one way.

I'm also skeptical about how you output to a CSV on every iteration of the script (every 2 seconds!) and simply overwrite the same CSV every iteration. If you instead sent the output to, say, a SQL database and added a row every time your script ran, you would have a lot more contextual data. For instance, you could query the DB and see that you had a 30-minute outage from 10:00 AM to 10:30 AM, and then you had a 5 minute outage from 11:45 AM to 11:50 AM on July 7th, etc.

This question is regarding powershell , how to obtain LDAP error logs in powershell? I want to test it against a non existent or a DC which is shut down, what log event i should expect and how to capture it.

You need to create your own event logging. Powershell doesn't automatically log every error and exception without you asking it to. Consider using Start-Transcript to log your Powershell sessions to a file. Or you can use the New-Event cmdlet to create your own custom event log messages. Use Try/Catch blocks to easily catch exceptions. You can also make use of the $Error variable in your scripts to see the last error.

Same as question 2, if DC is having replication issues, what logs should be captured and how?

This is not an appropriate way of testing for replication issues on a domain controller. You should use repadmin.exe /showreps, the Directory Service event log, etc., to monitor replication health.

Edit: To address your update,

RPC errors do not equate to Active Directory replication errors. RPC server availability is a separate issue... though the underlying cause of the RPC server availability issues can certainly also contribute to coincidental replication issues. More troubleshooting would be required.

How to Identify Latency of an LDAP query? Since this script runs on its own, is there a way to determine what time its took or measure its latency?

From the client's perspective, the Measure-Command cmdlet is good at telling you how long something took. Or you could use the underlying System.Diagnostics.Stopwatch .NET object. It's quite accurate.

From the server's perspective, you would want to watch Performance Monitor. (Perfmon) Look at the 'Directory Services' and NTDS perfmon objects - they have various performance counters there related to how many directory reads are being done per second, and their average times, queue lengths, etc. Perfmon counters are good for overall health, but the server will probably not be tracking the latency of each individual LDAP query. If you were interested in that measurement, you'd probably want to take the measurement from the client.