天道酬勤,学无止境

AD LDS slow on first access - Why?

I have an ADLDS instance setup on a local machine (Windows Server 2008 R2 box) for a new application and have knocked up some .Net code to access it. This is one of the functions i'm testing, as you can see its fairly simple stuff.

Dim MyLdapUri As New Uri(searchRoot)

Using MyContext As New PrincipalContext(ContextType.ApplicationDirectory,
                                         MyLdapUri.Authority,
                                         MyLdapUri.LocalPath.Substring(1), ContextOptions.SimpleBind,
                                         strUsername, strPassword)
        Return UserPrincipal.FindByIdentity(MyContext, IdentityType.Name, username)
    End Using

One thing i'm finding happening repeatedly is a ~18s delay on the first time I call this or any other function to access the instance from a test bed application. Subsequent calls made to the AD LDS instance are in the order of 40ms. Once you leave the instance unqueried for a few minutes then calls go back to taking 18s on the first call.

I can't find anything untoward in the event logs. I've also tried connecting to the instance different ways (simple bind to a user defined in the instance as above, using both local and domain Windows accounts) and this 18s additional delay on the first hit always happens. Can anyone give me any pointers to what causes this and/or how I might go about diagnosing/fixing it?

评论

This can be due to the way you authenticate to your server.

Is the server on which you install ADLDS in a domain controller?

Is your client computer in the same domain as your server?

How you client computer resolve the DNS part of your URI?

  • In your case you replace LDAP://myserver by LDAP://myserver.ourdomain.local.

受限制的 HTML

  • 允许的HTML标签:<a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • 自动断行和分段。
  • 网页和电子邮件地址自动转换为链接。

相关推荐
  • How to get effective permissions for a user on AD LDS entry in C#?
    I have 3rd party application using AD LDS to store its hierarchical data and I need to provide web UI in ASP.NET MVC for this system. It is using DACLs on directory entries to control users' access permissions for individual entries. I have found few good articles explaining how to read ActiveDirectoryAccessRules for DirectoryEntry but I cannot find any good way to calculate effective permissions for specific user. Is there any supporting Microsoft API or library available or I need to invent my own way? Reference URLs for people investigating on similar subjects: Writing your own AD/ADAM
  • 如何在 C# 中为用户获取 AD LDS 条目的有效权限?(How to get effective permissions for a user on AD LDS entry in C#?)
    问题 我有使用 AD LDS 来存储其分层数据的 3rd 方应用程序,我需要在 ASP.NET MVC 中为此系统提供 Web UI。 它在目录条目上使用 DACL 来控制用户对单个条目的访问权限。 我发现很少有好文章解释如何阅读DirectoryEntry ActiveDirectoryAccessRules ,但我找不到任何好方法来计算特定用户的有效权限。 是否有任何支持的 Microsoft API 或库可用,或者我需要发明自己的方式? 编写您自己的 AD/ADAM 权限编辑器 - 3 .NET 开发人员目录服务编程指南 C#中的访问控制列表 回答1 这是否有帮助:http://www.conarc.com/blog/2010/03/25/programmatically-getting-effective-directoryfile-permissions/
  • AD学习笔记目录
    https://www.bilibili.com/video/BV1X7411s7VD?p=1 1-服务器角色 目次 001 0.知识体系 002 1.角色 003 2.域服务概述 004 3.轻型目录服务概述 005 4.证书服务概述 006 5.权限管理服务概述 007 6.联合身份验证服务 https://www.bilibili.com/video/BV1X7411s7VD?p=2 2-域服务简介 目次 001 1.概述 002 附 组策略管理 003 2.逻辑组件概述 004 3.物理组件概述 005 附 创建域 006 附 DNS服务器 https://www.bilibili.com/video/BV1X7411s7VD?p=3 3-轻型目录服务 目次 001 1.概述 002 附安装配置LDS实验 003 2.实施和管理AD LDS 004 附 创建LDS实例 005 附 创建应用程序分区 006 3.实施AD LDS复制 007 4.AD DS和 AD LDS比较 008 5.实验 配置lds访问控制 https://www.bilibili.com/video/BV1X7411s7VD?p=4 4-证书服务 目次 001 1.概述 002 附 安装独立CA证书颁发机构 003 附 企业CA自动颁发证书 004 附 证书管理工具 005 2.理解AD证书服务证¹
  • AD LDS through SSL on Windows Server 2012 R2
    i am trying to configure my AD LDS instance to run through SSL so that i can connect to it from another computer using my application and perform password change operations. I installed the Certificate Authorities to create a Server certificate which i can use on my AD LDS instance. I added the certificate to the Personal Store of the AD LDS instance and gave read permission on the certificate for everyone (i couldn't find how to add only my AD LDS service name to it.) When i try to connect to this instance in the ADSI edit using Configuration naming context and the SSL port 636 plus the use
  • The LDAP Server is Unavailable using PrincipalContext and ADLDS
    We are making use of ADLDS for our user management and authentication. We can successfully query the instance without problems. However, trying to perform an operation such as SetPassword will fail or even trying to create a new user if a password is not set, it fails. I can successfully update a user as long as its not password I'm trying to update. I've been reading a lot of different articles relating to this but not finding a resolution. Posting to see if I can get some fresh perspective on this issue, thanks for any input. EXAMPLE ContextType ctxType = ContextType.ApplicationDirectory
  • 为 .net 2.0 上的活动目录轻量级目录服务 (ad lds) 设置密码(Set password for active directory lightweight directory services (ad lds) on .net 2.0)
    问题 我正在尝试创建一个新用户并使用 asp.net vb 在 AD LDS 中设置他们的密码。 我绑定到一个目录条目的实例,它工作正常。 我可以毫无问题地添加用户。 问题是我添加用户时似乎无法设置密码。 这是设置密码的正确方法吗? Dim objADAM As DirectoryEntry = BindToInstance() Dim objUser As DirectoryEntry = objADAM.Children.Add("CN=Jimmy", "User") objUser.Properties("sn").Value = "lloyd" objUser.Properties("givenName").Value = "Jimmy Smith" objUser.Properties("userpassword").Value = "THEPASSWORD" objUser.CommitChanges() 这是我得到的错误: System.DirectoryServices.DirectoryServicesCOMException (0x80072020):发生操作错误。 (来自 HRESULT 的异常:0x80072020)在 System.DirectoryServices.DirectoryEntry.CommitChanges() 我也试过这个: Dim
  • 将对象类定义导入 Active Directory (AD LDS)(Import object class definitions to Active Directory (AD LDS))
    问题 我无法将对象类定义从 OpenDS 迁移到 Active Directory。 我已经成功迁移了一些定义(并且可以使用我的 Java 应用程序读取/写入 AD) - 但现在我被卡住了。 在我的 OpenDS 模式描述中,我有这样的内容: objectClasses: ( 1.3.6.1.4.1.99.2 NAME 'myNewClass' SUP top STRUCTURAL MUST ( myAttribute1 $ myAttribute2 $ myAttribute3 ) MAY someOtherAttribute ) 我将其转换为 AD 架构语法,如下所示: # Class: myNewClass dn: cn=myNewClass,cn=Schema,cn=Configuration,dc=X changetype: add objectClass: classSchema governsID: 1.3.6.1.4.1.99.2 ldapDisplayName: myNewClass adminDisplayName: myNewClass objectClassCategory: 0 systemOnly: FALSE # subclassOf: top subclassOf: 2.5.6.0 # rdnAttId: myAttribute1 rdnAttId
  • 安装RSAT for win10 1809 later
    Get-WindowsCapability -Name RSAT* -Online Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 Add-WindowsCapability -Online -Name Rsat.CertificateServices.Tools~~~~0.0.1.0 Add-WindowsCapability -Online -Name Rsat.DHCP.Tools~~~~0.0.1.0Add-WindowsCapability -Online -Name Rsat.Dns.Tools~~~~0.0.1.0 Add-WindowsCapability -Online -Name Rsat.FileServices.Tools~~~~0.0.1.0 Add-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0 Add-WindowsCapability -Online -Name Rsat.RemoteDesktop.Services.Tools~~~~0.0.1.0 Add-WindowsCapability -Online -Name Rsat
  • LDAP 服务器不可用,使用 PrincipalContext 和 ADLDS(The LDAP Server is Unavailable using PrincipalContext and ADLDS)
    问题 我们正在使用ADLDS进行用户管理和身份验证。 我们可以毫无问题地成功查询实例。 但是,尝试执行诸如SetPassword的操作会失败,或者如果没有设置密码,甚至尝试创建新用户也会失败。 只要不是我尝试更新的密码,我就可以成功更新用户。 我一直在阅读很多与此相关的不同文章,但没有找到解决方案。 发帖看看我是否可以对这个问题有一些新的看法,感谢您的任何意见。 例子 ContextType ctxType = ContextType.ApplicationDirectory; string server = "myadldsserver.com"; string usersCN = "CN=Users,..."; // container where users reside ContextOptions ctxOpts = ContextOptions.SimpleBind; string uname = "myuser"; string pswrd = "mypass"; using(var ctx = new PrincipalContext(ctxType, server, usersCN, ctxOpts, uname, pswrd) using(var newUser = new UserPrincipal(ctx)) { newUser.Name =
  • 会员凭证验证失败(Membership credential verification failed)
    问题 我遇到此错误:会员凭据验证失败。 当我尝试使用基于表单的身份验证在 ASP.NET 应用程序中使用 Active Directory 用户登录时。 我有一个复杂的设置如下: 我使用 Active Directory 轻型目录服务 (Ad LDS),又名 ADAM 作为成员存储库。 我将它绑定到具有代理用户的 Active Directory 并完成了 adamsync。 我为 AD LDS 配置了 SSL 证书。 当使用 LDP.exe 连接到 AD LDS 时,我可以连接/绑定 AD LDS 用户或 AD 用户,因此代理没问题。 我的 ASP.NET 应用程序与 AD LDS 对话,我能够使用基于表单的身份验证与 AD LDS 用户成功登录。 但是我无法使用 ASP.NET 应用程序与我的 AD 用户登录,我错过了什么? 这是我的 web.config 中的 Provider 部分: <add name="MyADConnectionString" connectionString="LDAP://localhost/OU=Users,DC=PreuveConcept,DC=local" /> <authentication mode="Forms"> <forms loginUrl="~/Account/LogOn" timeout="2880" /> <
  • Set password for active directory lightweight directory services (ad lds) on .net 2.0
    I am trying to create a new user and set their password in AD LDS using asp.net vb. I'm binding to an instance of a directory entry, which is working fine. And I can add a user without a problem. The problem is that I can't seem to set the password when I add the user. Is this the right way to set the password? Dim objADAM As DirectoryEntry = BindToInstance() Dim objUser As DirectoryEntry = objADAM.Children.Add("CN=Jimmy", "User") objUser.Properties("sn").Value = "lloyd" objUser.Properties("givenName").Value = "Jimmy Smith" objUser.Properties("userpassword").Value = "THEPASSWORD" objUser
  • Membership credential verification failed
    I'm encountering this error : Membership credential verification failed. when I try to login with Active Directory user in an ASP.NET aplication using form based authentication. I have a complex set-up as follow: I'm using an Active Directory Lightweight Directory Services (Ad LDS), aka ADAM as a membership repository. I binded it to an Active Directory with proxy users and completed an adamsync. I configured an SSL certificate for the AD LDS. While connected to the AD LDS with LDP.exe, i'm able to connect/bind with both AD LDS users or AD users, so the proxy is ok. My ASP.NET application talk
  • 如何在 Active Directory 中禁用“仅通过 LDAPS 进行密码操作”策略(How to Disable “Password Operations Over LDAPS Only” policy in Active Directory)
    问题 默认情况下,Active Directory 不允许执行密码操作,例如密码更新或通过 LDAP 连接使用密码创建用户,它需要 LDAPS 连接。 如何禁用此策略? 我可以确保我的客户端和 AD 之间的连接是安全的,所以我不需要 SSL 加密。 回答1 打开命令行(开始 → 运行 → cmd )并键入以下命令: dsmgmt ds behavior connections connect to server localhost quit allow passwd op on unsecured connection list current ds-behavior quit quit 整个事情应该是这样的(为了可读性添加了空行) C:\Windows\system32>dsmgmt dsmgmt: ds behavior AD DS/LDS behavior: connections server connections: connect to server localhost Binding to localhost ... Connected to localhost using credentials of locally logged on user. server connections: quit AD DS/LDS behavior: allow passwd
  • Import object class definitions to Active Directory (AD LDS)
    I am stuck migrating object class definitions from OpenDS to Active Directory. I have already successfully migrated some definitions (and can read/write to AD with my Java application) - but now I'm stuck. In my OpenDS schema description I have something like this: objectClasses: ( 1.3.6.1.4.1.99.2 NAME 'myNewClass' SUP top STRUCTURAL MUST ( myAttribute1 $ myAttribute2 $ myAttribute3 ) MAY someOtherAttribute ) I translated this to the AD schema syntax like this: # Class: myNewClass dn: cn=myNewClass,cn=Schema,cn=Configuration,dc=X changetype: add objectClass: classSchema governsID: 1.3.6.1.4.1
  • 适用于 Windows 7 的“Active Directory 用户和计算机”MMC 管理单元?(“Active Directory Users and Computers” MMC snap-in for Windows 7?)
    问题 是否有可用于 Windows 7 的等效工具? 我只需要浏览一些位于巨大层次结构深处的小型 Active Directory 组的成员资格,因此我最终可以编写代码来处理这些组。 安装程序的 Windows Server 2003 版本可以工作,但生成的 MMC snap in 无法启动。 编辑:我想先发制人地反对更多关闭问题的请求。 我假设许多程序员使用该工具来协助与编程相关的任务,例如测试修改 Active Directory 内容的代码。 Stack Overflow 上还有很多关于开发人员工具的其他问题。 回答1 对于 Windows Vista 和 Windows 7,您需要获取远程服务器管理工​​具 (RSAT) - Active Directory 用户和计算机管理单元包含在该包中。 下载链接:适用于 Windows 7 的远程服务器管理工​​具。 回答2 Per Noalt 的回答是正确的。 但是,如果您想要标题中提到的管理单元(用户和计算机),您还必须在之后以管理员身份在命令行中运行这些命令: dism /online /enable-feature /featurename:RemoteServerAdministrationTools-Roles-AD-DS dism /online /enable-feature /featurename
  • Horizon虚拟桌面几例故障解决
    本文总结了近期碰到的几例VMware Horizon虚拟桌面在版本升级或使用中碰到的故障及其解决方法,希望对有同样问题的读者有所帮助。 1 Horizon 连接服务器升级到7.10后瘦客户端无法登录 某公司使用DELL Wyse 5030 Zero Client(瘦客户机)登录VMware Horizon 7.5的虚拟桌面。在将Horizon连接服务器、Composer服务器升级到7.10之后,有些工作站登录到虚拟桌面时提示“View Connection Server communication error”,如图1所示。也有部分工作站登录正常。图1 部分瘦客户机无法登录经过检查,发现瘦客户端固件版本5.51的可以登录,4.8版本的不行。升级瘦客户端固件可以解决。如图2所示。图2 升级瘦客户端 2 无法编辑虚拟桌面池 登录Horizon Administrator,在“目录→桌面池”中,双击已经配置好的桌面池进行编辑时,出现“服务器错误→未知”的错误,如图3所示。图3 出现未知错误如果新建桌面池,在“vCenter设置”步骤中,在选择“主机或群集”时出现“java.lang.IllegalArgumentException:Invalid parameters”错误,如图4所示。图4 出错出现这个错误的原因,一般是当前vCenter Server所管理的ESXi主机中有离线主机
  • AD Lightweight Directory Services not Authenticating Users
    For some reason, I cannot authenticate user credentials using LDS for users created in LDS. My test code is: PrincipalContext context = new PrincipalContext(ContextType.ApplicationDirectory, "adlds:50000", "CN=test,DC=test,DC=internal", ContextOptions.Negotiate); UserPrincipal user = new UserPrincipal(context); user.Enabled = true; user.Name = "MyTestUser"; user.SetPassword("P@ssw0rd1"); user.GivenName = "ATestUser123"; user.Surname = "SurnameOf"; user.Save(); bool auth = context.ValidateCredentials("MyTestUser", "P@ssw0rd1"); ValidateCredentials is returning false each time. LDS is running on
  • AD 轻量级目录服务不对用户进行身份验证(AD Lightweight Directory Services not Authenticating Users)
    问题 出于某种原因,我无法使用 LDS 为在 LDS 中创建的用户验证用户凭据。 我的测试代码是: PrincipalContext context = new PrincipalContext(ContextType.ApplicationDirectory, "adlds:50000", "CN=test,DC=test,DC=internal", ContextOptions.Negotiate); UserPrincipal user = new UserPrincipal(context); user.Enabled = true; user.Name = "MyTestUser"; user.SetPassword("P@ssw0rd1"); user.GivenName = "ATestUser123"; user.Surname = "SurnameOf"; user.Save(); bool auth = context.ValidateCredentials("MyTestUser", "P@ssw0rd1"); ValidateCredentials 每次都返回 false。 LDS 在已加入域的 Server 2008 R2 上运行。 我尝试过重新创建上下文、使密码过期、通过 ADSI 手动重置密码等。 有什么想法吗? 回答1 我遇到了同样的问题。 我所做的
  • 未将术语“ Get-ADUser”识别为cmdlet的名称(The term 'Get-ADUser' is not recognized as the name of a cmdlet)
    问题 我使用以下查询列出了Windows 2008服务器中的用户,但失败并出现以下错误。 $server='client-pc-1';$pwd= convertto-securestring 'password$' -asplaintext - force;$cred=new-object -typename System.Management.Automation.PSCredential -argumentlist 'Administrator',$pwd; invoke-command -computername $server -credential $cred -scriptblock {Get-ADUser -Filter (enabled -ne $true)} 例外情况如下...有人可以帮我解决这个问题吗? The term 'Get-ADUser' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. + CategoryInfo
  • 活动目录复制状态检查命令:repadmin
    repadmin 用法: repadmin [/u:{domain\user}] [/pw:{password|*}] [/retry[:][:]] [/csv] 使用下列命令查看帮助: /? 显示 repadmin 中可以使用的一系列命令及其说明。 /help 与 /? 相同。 /?: 显示特定命令 的可用参数 、相应语法以及示例的列表。 /help: 与 /?: 相同 /experthelp 显示仅供高级用户使用的一系列命令。 /listhelp 显示可用于 DSA_NAME、DSA_LIST、NCNAME 和 OBJ_LIST 字符串 的语法变量。 /oldhelp 显示一系列不推荐使用的命令,这些命令仍然有效,但 Microsoft 已不再支持它们。 支持的 命令(使用 /? 获取详细帮助): /kcc 强制目标域控制器上的 KCC 立即重新计算其入站复制拓扑。 /prp 该命令允许管理员查看或修改 RODC 的密码复制策略。 /queue 显示 DC 要与其源复制伙伴一致所需发布的入站复制请求。 /replicate 触发将指定的目录分区立即从源 DC 复制到目标域控制器。 /replsingleobj 在具有公共目录分区的任何两个域控制器之间复制单个对象。 /replsummary replsummary 操作快速简明地概述林的复制状态和相对健康状况。