App Control: Disconnected Agents Due to Very Slow AD Policy Mappings Lookups
search cancel

App Control: Disconnected Agents Due to Very Slow AD Policy Mappings Lookups


Article ID: 288557


Updated On:


Carbon Black App Control (formerly Cb Protection)


  • Agents showing as Disconnected in the Console.
  • Using dascli status locally shows:
    Connection:        Connected(Waiting)
    Session:           Inactive
  • Console generating Events with Subtype: AD lookups are slow
  • ServerLog.bt9 has the messages similar to:
    [1424] 2023-04-19 09:18:40 (3544 Register Thread 0)   HostStorage::MapUsersToHostgroupUsingScript: AD query: 9442 ms


  • App Control Agent: All Supported Versions
  • Microsoft Windows: All Supported Versions
  • Microsoft Active Directory


When Agents register with the Server they must be placed into the correct Policy. When Active Directory Policy Mapping has been configured, AD lookups must be completed to verify the correct membership.

When these LDAP queries made to Active Directory take very long time, the Server register threads get held up waiting on the results and cannot process Agent registrations


  1. Log in to the Console and navigate to https://ServerAddress/shepherd_config.php
  2. Locate and adjust the following Properties accordingly:
    • ADLookupThreads: 3
    • ADLookupAsyncThresholdMs: 0
  3. Restart the App Control Server service.

Additional Information

  • Another possible symptom is high usage percentage for computer registrations in https://ServerAddress/support.php > Reports > Agent Traffic Stats.
  • Currently there are no guidelines for ADLookupThreads per thousand Agents.