System.DirectoryServices Search Performance – Part 4

NOTE: This post is part of a series.

Evaluating Performance of LDAP Queries

LDAP search performance sometimes feels like more art than science.  The biggest reason for that is initially there doesn’t appear to be  tools available to evaluate your query and report on efficiency.

STATS Control

LDAP has what is called the STATS control.  When the STATS control is enabled some basic stats of your query are returned; query time, entries returned, entries visited, used filter, and indices used.

I find the most useful information returned from STATS is entries returned vs entries visited.  For example the query:


Objects Visited = 11,588

Objects Returned = 1

Since my filter contains no indexed attributes the directory has to crawl through every object to determine if it has a telephoneNumber of 555-555-5555.  Compare that to:


Objects Visited = 257

Objects Returned = 1

As you can see by adding the indexed attribute of (objectCategory=user) we reduce the number of objects to crawl to 257 since it was able to use an index to find all of the objects that are users.

I could go on for days giving examples of good and bad filters.  The guidelines laid out in Part 2 will give you the knowledge you need to write good filters.  Now with your knowledge of the STATS control you have a way to quantify if your writing efficient filters or not.


I find the best way to view the output of the STATS control is to use AdFind by joeware.  AdFind has almost endless versatility in doing LDAP searches, however I am just focusing on it’s ability to report STATS.

Running AdFind.exe without any switches will give you the usage information.  However a quick crash course in AdFind:

adfind.exe –default –f “(attribute=value)” -stats+Only

-default = Connect to default LDAP server (works if your computer is member of domain you want to search)

-f = Filter to query on

-stats+Only = Return stats information with analysis and do not return actual results

An example run of AdFind:

C:>adfind -default -f "(&(objectCategory=user)(telephoneNumber=555-555-5555))" -stats+Only

AdFind V01.37.00cpp Joe Richards ( June 2007

Using server: dc.domain.local:389
Directory: Windows Server 2003
Base DN: DC=domain,DC=local

Elapsed Time: 16 (ms)
Returned 1 entries of 257 visited – (0.39%)

Used Filter:
( &  (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local)  (telephoneNumber=555-555-5555) )

Used Indices:

Hit Rate of 0.39% is Inefficient

Indices used:

Index Name  : idx_objectCategory
Record Count: 220  (estimate)
Index Type  : Normal Attribute Index

Filter Breakdown:


One thought on “System.DirectoryServices Search Performance – Part 4

Comments are closed.