We have an application that uses LDAP to authenticate against AD. The application talks to a single hostname in DNS that contains all of our domain controllers. Each DC is then accessed via Round Robin.
A few times a day (and slowing increasing in occurrence) we see errors in the app that suggest the LDAP client is unable to "bind".
As far as we can tell, the only thing the end user sees is "unknown username or bad password" - when they type their password again they get in just fine. We are worried, however, that this is indicative of a larger problem and we want to fully understand what is happening should this problem ever grow to the point where users actually notice. Our big question is we don't know if the root of the problem is with our AD environment or on our application. Who's at fault for failing to complete the LDAP bind? Where do I need to focus my efforts?
We can correlate the LDAP bind errors with Event 4662 Failure events in AD (yes, event 4662 can be useful!). The Subject is the LDAP Service account and the Object is the ID attempting to logon. The Access is Control Access. What has us baffled is for each bind failure we see in on our application, we see the 4662 event on ALL of our Domain Controllers! These 4662 events continue for about 30 seconds.
In trying to understand this problem better, I would like to know if the application is actually contacting each DC over and over for 30 seconds - OR - is the app only talking to one DC, getting a bind error, and the 4662 events associated with this issue simply being replicated to all of the other DCs?
Thank you for your help!
Matt