LDAP 伺服器 Cookie 的處理方式How LDAP Server Cookies Are Handled

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

在 LDAP,某些大型結果查詢會導致設定。In LDAP, some queries result in a large result set. 這類查詢對 Windows Server 造成一些問題。Such queries pose some challenges to the Windows Server.

收集建置這些結果大集,請重要的工作。Collecting and building these big result sets is significant work. 許多屬性必須從內部表示轉換成 LDAP 花朵代表。Many of the attributes need to be converted from an internal representation to the LDAP wire representation. 許多屬性,需要從內部、 通常二進位,格式轉換文字型 utf-8 格式 LDAP 回應框架中執行。For many attributes, a conversion from an internal, often binary, format needs to happen to a text-based UTF-8 format in the LDAP response frame.

另一個挑戰是結果該設定的數以萬計的物件成為龐大,輕鬆地數個數百大-位元組。Another challenge is that result sets with tens of thousands of objects become huge, easily several hundred Mega-Bytes. 這些然後需要多很多的 virtual 地址空間及傳輸中斷的 TCP 工作階段時不會遺失整個努力在網路上的傳送也有問題。These then require lots of virtual address space and also the transfer over network has issues as the whole effort is lost when the TCP session breaks down in transit.

這些容量和後勤問題有 led Microsoft LDAP 開發人員來建立稱為 「 分頁查詢 「 LDAP 擴充功能。These capacity and logistic issues have led the Microsoft LDAP developers to creating a LDAP extension known as "Paged Query". 其實 LDAP 控制龐大查詢分成的較小的結果集區塊。It is implementing a LDAP control to separate one huge query into chunks of smaller result sets. 變得更 RFC 標準為RFC 2696It has become a RFC standard as RFC 2696.

分頁查詢方法使用頁面大小任一設 client,或透過LDAP 原則(」 MaxPageSize 」)。The Paged Query method uses the page size either set by the client or through a LDAP Policy ("MaxPageSize"). 隨時 client 需要藉由傳送 LDAP 控制項讓分頁。The client always needs to enable paging by sending a LDAP control.

使用許多結果查詢時,有些時候允許的物件已達上限。When working on a query with many results, at some point the maximum number of objects allowed is reached. LDAP 伺服器上回應訊息封裝,並將 cookie 包含之後繼續搜尋所需的資訊。The LDAP server packages up the response message and adds a cookie that contains information it needs to later continue the search.

Client 應用程式必須視為透明 blob cookie。The client application must treat the cookie as an opaque blob. 它可以擷取物件計數回應,可以繼續基於 cookie 的搜尋]。Client 繼續搜尋查詢傳送 LDAP 伺服器再試一次使用相同的基本物件及篩選器,例如參數,包含在上一個回應傳回 cookie 值。It can retrieve the object count in the response and can continue the search based on the presence of the cookie.The client continues the search by sending the query to the LDAP server again with the same parameters such as base object and filter, and includes the cookie value that was returned on the previous response.

如果物件數量不會填滿頁面,請 LDAP 查詢已完成,而且回應包含不頁面上的 cookie。If the number of objects doesn't fill a page, the LDAP query is complete and the response contains no page cookie. 如果不 cookie 伺服器傳回,client 必須考慮成功完成分頁的搜尋。If no cookie is returned by the server, the client must consider the paged search to be successfully complete.

伺服器傳回錯誤,如果 client 必須請考慮將會失敗分頁的搜尋。If an error is returned by the server, the client must consider the paged search to be unsuccessful. 重試一次搜尋] 會造成從第一頁搜尋。Retrying the search will result in restarting the search from the first page.

Windows Server 回到 client cookie 和有時會儲存在伺服器上的 cookie 相關的資訊。The Windows Server returns the cookie to the client and sometimes stores information related to the cookie on the server. 此資訊會儲存在伺服器上的快取中,皆受特定限制。This information is stored on the server in a cache and is subject to certain limits.

此時,請傳送到 client 的伺服器 cookie 也會使用伺服器以查詢快取的伺服器上的資訊。In this case, the cookie sent to the client by the Server is also used by the server to lookup the information from the cache on the Server. 當 client 持續分頁的搜尋時,Windows Server 會使用 client cookie,以及任何相關的資訊伺服器 cookie 快取的繼續搜尋。When the client continues the paged search, the Windows Server will use the client cookie as well as any related information from the server cookie cache to continue the search. 如果伺服器找不到任何原因伺服器快取 cookie 相關的資訊,已不再提供搜尋和錯誤到 client。If the server cannot find related cookie information from the server cache due to any reason, the search is discontinued and error is returned to the client.

當然,LDAP 伺服器服務一次以上 client,也更多個 client 一次可以舉辦查詢需要伺服器 cookie 快取的使用。因此的 Windows Server 實作 cookie 集區使用量追蹤且 cookie 集區不花太多資源,限制放入定位。Obviously, the LDAP server is serving more than one client at a time, and also more than one client at a time can launch queries that require the use of server cookie cache.Thus the Windows Server implementation there is a tracking of cookie pool usage and limits are put into place so the cookie pool is not taking too much resources. 限制可以設定的系統管理員使用下列設定 LDAP 原則。The limits can be set by the Administrator using the following settings in LDAP Policy. 解釋與預設值︰The defaults and explanations are:

MinResultSets: 4MinResultSets: 4

如果有小於 MinResultSets 伺服器 cookie 快取中的項目,如下所示大集區大小不會看到 LDAP 伺服器。The LDAP server will not look at the maximum pool size discussed below, if there are less than MinResultSets entries in the server cookie cache.

MaxResultSetSize: 262,144 位元組MaxResultSetSize: 262,144 bytes

在伺服器上的 cookie 總快取大小不得超過 MaxResultSetSize 位元組最大值。The total cookie cache size on the server must not exceed the maximum of MaxResultSetSize in bytes. 若是如此,請從舊的 cookie 刪除集區小於 MaxResultSetSize 位元組或小於 MinResultSets cookie 的集區中。If it does, cookies starting from the oldest are deleted until the pool is smaller than MaxResultSetSize bytes or less than MinResultSets cookies are in the pool. 這表示過使用預設設定,LDAP 伺服器視為 450 KB 為確定如果只 3 cookie 儲存集區。This means that using default settings, the LDAP server considers a pool of 450KB to be OK if there are only 3 cookies stored.

MaxResultSetsPerConn: 10MaxResultSetsPerConn: 10

LDAP 伺服器可不超過 MaxResultSetsPerConn cookie 每 389 集區中。The LDAP server allows no more than MaxResultSetsPerConn cookies per LDAP connection in the pool.

處理刪除 CookieHandling Deleted Cookies

移除 cookie 從 LDAP Server 快取的資訊不會導致立即所有案例中的應用程式的錯誤。The removal of cookie information from LDAP Server cache does not result in an immediate error for applications in all cases. 應用程式可能會重新分頁的搜尋從 [開始] 畫面和上嘗試另一個將它完成。Applications may restart the paged search from the start and complete it on another attempt. 某些應用程式有此類型重試機制來新增穩定性。Some applications have this kind of a retry mechanism to add robustness.

某些應用程式可能瀏覽網頁搜尋並不會將它完成。Some applications may go through a page search and never complete it. 這可能會保留 LDAP 伺服器中的項目 cookie 快取,透過 4 一節中的機制。This may leave entries in the LDAP server cookie cache, which is handled through the mechanism in section 4. 這是必要釋出的作用中 LDAP 搜尋伺服器上的記憶體。This is essential to free up memory on the server for active LDAP searches.

這類 cookie 刪除伺服器上 client 繼續使用此 cookie 控點搜尋時的行為?LDAP 伺服器會不找到伺服器 cookie 快取 cookie 並傳回查詢錯誤,會類似錯誤回應:What happens when such a cookie is deleted on the server and the client continues the search with this cookie handle?The LDAP Server will not find the cookie in the server cookie cache and return an error for the query, the error response will be similar to:

00000057: LdapErr: DSID-xxxxxxxx, comment: Error processing control, data 0, v1db1  


「 DSID 「 背後的十六進位值會根據組建 LDAP 伺服器二進位版本而有所不同。The hexadecimal value behind "DSID" will vary depending on the build version of the LDAP server binaries.

LDAP 伺服器已登入事件通過分類 「 16 Ldap 介面 」 功能NTDS 診斷鍵The LDAP Server has the ability to log events through category "16 Ldap Interface" in the NTDS diagnostics key. 如果您設定的這個分類 」 2 」,您可以取得下列事件:If you set this category to "2", you can get the following events:

Log Name:      Directory Service  
Source:        Microsoft-Windows-ActiveDirectory_DomainService  
Event ID:      2898  
Task Category: LDAP Interface  
Level:         Information  
Internal event: The LDAP server has reached the limit of the number of Result Sets it will maintain for a single connection.  A stored Result Set will be discarded.  This will result in a client being unable to continue a paged LDAP search.  
Maximum number of Result Sets allowed per LDAP connection:  
Current number of Result Sets for this LDAP connection:  

User Action  
The client should consider a more efficient search filter.  The limit for Maximum Result Sets per Connection may also be increased.  
Log Name:      Directory Service  
Source:        Microsoft-Windows-ActiveDirectory_DomainService  
Event ID:      2899  
Task Category: LDAP Interface  
Level:         Information  
Internal event: The LDAP server has exceeded the limit of the LDAP Maximum Result Set Size. A stored Result Set will be discarded.  This will result in a client being unable to continue a paged LDAP search.   

Number of result sets currently stored:   
Current Result Set Size:   
Maximum Result Set Size:   
Size of single Result Set being discarded:   
User Action   
The client should consider a more efficient search filter.  The limit for Maximum Result Set Size may also be increased.  

事件訊號移除了儲存的 cookie。The events signal that a stored cookie was removed. 並不代表 client 已經看過 LDAP 錯誤,但僅限 LDAP 伺服器人數已達快取的管理限制。It does NOT mean a client has seen the LDAP error, but only that the LDAP Server has reached the administration limits for the cache. 有時候,LDAP client 可能會有放棄分頁的搜尋,可能不會看到此錯誤。In some cases, an LDAP client may have abandoned the paged search and may never see the error.

如果您不會在您的網域體驗 LDAP 搜尋錯誤,您不需要監視 LDAP 伺服器頁面搜尋 cookie 集區。If you never experience LDAP search errors in your domain, you may never need to monitor the LDAP server page search cookie pool. 如果您看到您的環境中搜尋相關的錯誤 LDAP 頁面,您可能會有 cookie 集區的系統管理員限制的問題。In case you see LDAP page search related errors in your environment, you may have an issue with the cookie pool administrator limits.

事件 2898年和 2899年是知道您已經到達 LDAP 伺服器管理員限制的唯一方式。Events 2898 and 2899 are the only ways to know that the LDAP server has reached the administrator limits. 您體驗時出該 LDAP 查詢錯誤而處理錯誤上述控制項,您應該查看增加限制一或多個 4,您收到的事件根據一節中所提到的 LDAP 原則設定。When you experience that LDAP queries error out because of the control processing error above, you should look at Increasing limits on one or more of the LDAP Policy settings mentioned in section 4, depending on which event you are getting.

如果您看到事件 2898年俠日 LDAP 伺服器上,我們建議您 25 MaxResultSetsPerConn 設定。If you are seeing event 2898 on your DC/LDAP Server, we recommend you set MaxResultSetsPerConn to 25. 在單一 389 平行分頁的搜尋 25 個以上不是平常。More than 25 parallel paged searches on a single LDAP connection is not usual. 如果您看到事件 2898年繼續,請考慮調查 LDAP client 應用程式,發生錯誤。If you continue to see event 2898, consider investigating your LDAP client application which encounters the error. 懷疑就是,它日子卡住擷取額外分頁的結果、 離開擱置中的 cookie,新的查詢重新開機。The suspicion would be that it somehow gets stuck retrieving additional paged results, leaves the cookie pending and restarts a new query. 請查看是否應用程式會有些時候有不足 cookie 其為了,您也可以增加 MaxResultSetsPerConn 25.以外的值,當您看到的身分登入您的網域控制站事件 2899年、 計劃會不同。So see whether the application would at some point have sufficient cookies for its purposes, you can also increase the value of MaxResultSetsPerConn beyond 25.When you see events 2899 logged on your domain controllers, the plan would be different. 如果您俠日 LDAP 伺服器記憶體不足 (數個 Gb 的可用記憶體) 的電腦上執行,建議您設定 MaxResultsetSize LDAP 伺服器上 > = 有 250 MB。If your DC/LDAP server runs on a machine with sufficient memory (several GBs of free memory), we recommend you set the MaxResultsetSize on the LDAP server to >=250MB. 這項限制足以容納大量 LDAP 網頁搜尋非常大型目錄即使是在。This limit is large enough to accommodate large volumes of LDAP page searches even on very large directories.

如果您仍然看到事件 2899年有 250 MB 或更多的集區,您可能會有許多戶端傳回的物件更高的數字,,查詢非常常用的方式。If you are still seeing events 2899 with a pool of 250MB or more, you are likely having many clients with very high number of objects returned, queried in a very frequent manner. 您可以使用收集的資料Active Directory 資料收集設定可協助您尋找可讓您 LDAP 伺服器重複分頁的查詢忙碌。The data you can gather with the Active Directory Data Collector Set can help you find repetitive paged queries that keep your LDAP Servers busy. 這些查詢將會有數字的 「 退貨項目 」 符合使用的頁面的大小顯示。These queries will all show with a number of "Entries returned" that matches the size of the page used.

如果可能的話,您應該檢視應用程式的設計,並實作不同的頻率較低、 資料音量和/或較少 client 執行個體查詢此資料的方法。在您擁有的來源的程式碼存取此指南的應用程式建立有效率 AD-Enabled 應用程式可協助您了解應用程式可以存取廣告的最佳方式。If possible, you should review the application design, and implement a different approach with a lower frequency, data volume and/or fewer client instances querying this data.In case of the applications for which you have source code access, this guide to creating efficient AD-Enabled Applications can help you understand the optimal way for applications to access AD.

如果您無法變更查詢行為,其中一種方法新增所需的命名內容並可以轉散發戶端及最後減少個人 LDAP 伺服器上的載入更多複寫執行個體。If the query behavior can't be changed, one approach is also adding more replicated instances of the naming contexts needed and to redistribute the clients and eventually reduce the load on the individual LDAP Servers.