Q. How can I check how much of my Active Directory (AD) database is cached in memory?

A. On both the 32-bit and 64-bit versions of Windows, the Local Security Authority Subsystem Service (LSASS) reads AD information into memory as it's queried and caches it. Over time, more of the AD database is cached until the memory is full, at which point the most frequently accessed pages of the database are kept in memory.

Click to expand

There's no absolute way to check how much of the AD database is currently cached into memory, but you can get an idea by looking at the size of the file NTDS.DIT in C:\Windows\NTDS and comparing it to the working set (memory) used by the lsass.exe process, the process that caches the AD pages. It's not a direct correlation, because LSASS uses memory for its other functions (such as hosting Netlogon) but there will be a basic correlation. Because the percentage of memory used by LSASS for non AD caching becomes proportionally smaller, it gets easier to see the correlation the larger your NTDS.DIT database file becomes. If you have a 4 GB NTDS.DIT file and lsass.exe has a 2 GB working set, you can estimate that roughly half your database is cached into memory.

In my test environment, shown here, you can see that most likely my entire AD is cached.

Related Reading:
Check out hundreds more useful Q&As like this in John Savill's FAQ for Windows. Also, watch instructional videos made by John at ITTV.net.
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.