Article ID: 310048
Article Last Modified on 10/12/2005
APPLIES TO
- Microsoft Active Directory Service Interfaces 2.5
This article was previously published under Q310048
SYMPTOMS
If you call the IADs::GetInfoEx function, unnecessary network traffic may be generated because of how the client-side cache for Active Directory Services Interface (ADSI) is updated.
This problem may adversely affect the performance of IIS servers. For every empty property that is requested using a IADs::Get call, the function also performs an implicit GetInfo request to the LDAP directory service requesting all available attributes. Each time that an empty property is requested, you may experience up to 4 seconds of delay when using Network Monitor to capture network traffic between the client computer and the directory server.
CAUSE
This problem is caused by the manner in which the ADSI cache tracks GetInfoEx and GetInfo requests. The cache is supposed to detect that a GetInfoEx request for a specific property has already been performed and that it was not successful. That way, when a query is performed for that property again, ADSI will not generate redundant network traffic.
When an empty property is requested by means of IADs::GetInfoEx to refresh the cache, and is followed immediately by IADs::Get requesting the property, the client-side ADSI LDAP provider makes an implicit GetInfo request and retrieves all of the available properties for that object. The cache does not detect that an unsuccessful request for that specific property has already been made.
MORE INFORMATION
Steps to Reproduce the Behavior
The following script may reproduce this problem:
on error resume next
dim oUsr
'
' Bind to the user object
'
set oUsr = GetObject("LDAP://cn=Fred Jones,ou=marketing,dc=br549,dc=test,dc=microsoft,dc=com")
WScript.Echo "Start: " & now()
'
' Requesting a property that is known to exist with
' a property that is known not to exist...
'
oUsr.GetInfoEx ARRAY("CN","department"), 0
WScript.Echo "GetInfoEx: " & now()
'
' Requesting the property that you know does not exist,
' Trace indicates a full GetInfo request is issued
' for all the data...
'
dep = oUsr.Get("department")
if ( err.number <> 0 ) then
WScript.Echo "Get: ERROR: "& hex(err.number)& "Time: " & now()
err.clear
end if
In summary, the pre-hotfix traces indicate an extra LDAP search-request/search-response pair including all properties for the object. The LDAP portion of these frames are represented as follows:
LDAP: ProtocolOp: SearchRequest (3)
LDAP: MessageID
LDAP: ProtocolOp = SearchRequest
LDAP: Base Object = cn=Test User1,cn=Users,dc=cpr000,dc=company,dc=com
LDAP: Scope = Base Object
LDAP: Deref Aliases = Never Deref Aliases
LDAP: Size Limit = 0x00002710
LDAP: Time Limit = No Limit
LDAP: Attrs Only = 0 (0x0)
LDAP: Filter Type = Present
LDAP: Attribute Type = objectClass
LDAP: Attribute Value = 0
The search response follows.
NOTE: Network Monitor does not parse LDAP transactions that extend beyond the original frame as LDAP; it interprets them as TCP. The following is actually two frames in Network Monitor.
LDAP: ProtocolOp: SearchResponse (4)
LDAP: MessageID
LDAP: ProtocolOp = SearchResponse
LDAP: Object Name = cn=Test User1,cn=Users,dc=cpr000,dc=company,dc=com
+ LDAP: Attribute Type = accountExpires
+ LDAP: Attribute Type = badPasswordTime
+ LDAP: Attribute Type = badPwdCount
+ LDAP: Attribute Type = codePage
+ LDAP: Attribute Type = cn
+ LDAP: Attribute Type = countryCode
+ LDAP: Attribute Type = displayName
+ LDAP: Attribute Type = givenName
+ LDAP: Attribute Type = instanceType
+ LDAP: Attribute Type = lastLogoff
+ LDAP: Attribute Type = lastLogon
+ LDAP: Attribute Type = logonCount
+ LDAP: Attribute Type = nTSecurityDescriptor
+ LDAP: Attribute Type = distinguishedName
+ LDAP: Attribute Type = objectCategory
+ LDAP: Attribute Type = objectClass
+ LDAP: Attribute Type = objectGUID
+ LDAP: Attribute Type = objectSid
+ LDAP: Attribute Type = primaryGroupID
+ LDAP: Attribute Type = pwdLastSet
+ LDAP: Attribute Type = name
+ LDAP: Attribute Type = sAMAccountName
+ LDAP: Attribute Type = sAMAccountType
+ LDAP: Attribute Type = sn
+ LDAP: Attribute Type = userAccountControl
+ LDAP: Attribute Type = userPrincipalName
+ LDAP: Attribute Type = uSNChanged
+ LDAP: Attribute Type = uSNCreated
+ LDAP: Attribute Type = whenChanged
+ LDAP: Attribute Type = whenCreated
LDAP: MessageID
LDAP: ProtocolOp = SearchResponse (simple)
LDAP: Result Code = Success
RESOLUTION
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Only apply it to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Windows 2000 service pack that contains this hotfix.
To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:
NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The typical support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
The English version of this fix should have the following file attributes or later:
Date Time Size File name
--------------------------------------------------
26-NOV-2001 17:50 123,664 adsldp.dll
26-NOV-2001 17:50 130,320 adsldpc.dll
26-NOV-2001 17:50 62,736 adsmsext.dll
26-NOV-2001 17:50 356,112 advapi32.dll
26-NOV-2001 17:50 82,704 cmnquery.dll
26-NOV-2001 17:50 133,904 dnsapi.dll
26-NOV-2001 17:50 91,408 dnsrslvr.dll
26-NOV-2001 17:50 41,744 dsfolder.dll
26-NOV-2001 17:50 156,944 dsquery.dll
26-NOV-2001 17:50 110,352 dsuiext.dll
08-OCT-2001 14:54 88,336 hotfix.exe
26-NOV-2001 18:01 27,773 hotfix.inf
28-NOV-2001 18:57 1,804 hotfix.txt
26-NOV-2001 17:52 521,488 instlsa5.dll
26-NOV-2001 17:50 145,680 kdcsvc.dll
26-NOV-2001 16:33 199,440 kerberos.dll
04-SEP-2001 08:32 71,024 ksecdd.sys
26-NOV-2001 16:51 503,568 lsasrv.dll
26-NOV-2001 16:52 33,552 lsass.exe
26-NOV-2001 16:32 107,280 msv1_0.dll
26-NOV-2001 17:50 306,960 netapi32.dll
26-NOV-2001 17:50 358,672 netlogon.dll
26-NOV-2001 17:50 913,168 ntdsa.dll
26-NOV-2001 18:09 4,308,288 Q310048_W2K_SP3_X86_EN.exe
26-NOV-2001 17:50 387,856 samsrv.dll
26-NOV-2001 17:50 128,784 scecli.dll
26-NOV-2001 17:50 299,792 scesrv.dll
26-NOV-2001 17:58 2,840,453 sp3.cat
30-MAY-2001 00:03 3,584 spmsg.dll
26-NOV-2001 17:50 48,400 w32time.dll
06-NOV-2001 11:43 56,592 w32tm.exe
26-NOV-2001 17:50 125,712 wldap32.dll
29-NOV-2001 14:14 <DIR> 56bit
26-NOV-2001 16:51 503,568 lsasrv.dll
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
MORE INFORMATION
For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:
265173 The Datacenter Program and Windows 2000 Datacenter Server Product
For additional information about how to install multiple hotfixes with only one reboot, click the article number below to view the article in the Microsoft Knowledge Base:
296861 Use QChain.exe to Install Multiple Hotfixes with Only One Reboot
For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:
249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes
Keywords: kbbug kbfix kbwin2000presp3fix kbqfe kbwin2000sp3fix kbdirservices kbdswadsi2003swept kbhotfixserver KB310048
