First let me say I'm no Active Directory expert so maybe this behavior is expected. But I have successfully installed the Splunk Supporting Add-on for Active Directory and tested the connection. When I run a simple search, there's a relatively long (~10s) delay before the results are returned. Here's what my search looks like:
| ldapsearch domain=ACME search="(&(objectClass=user)(samAccountName=george))" attrs="department"
The search takes about 9 seconds, which seemed strange to me so I took a packet capture. After the bind, it looks like the add-on is sending a subSchema search for 12 attributes. A couple of those attributes (dITContentRules and attributeTypes) have a lot of values - 647 and 4108 respectively. It's the transmission of these attribute values that is causing the search to take so long. Once the add-in sends the actual search based on my search term, the response is almost immediate.
Is it normal for the add-on to send that initial subSchema query? Is there some reason it's necessary, or some way to suppress it?