A. On both the 32-bit and 64-bit versions of Windows, the Local Security Authority Subsystem Service (LSASS) reads AD information into memory as it's queried and caches it. Over time, more of the AD database is cached until the memory is full, at which point the most frequently accessed pages of the database are kept in memory.
Click to expand
There's no absolute way to check how much of the AD database is currently cached into memory, but you can get an idea by looking at the size of the file NTDS.DIT in C:\Windows\NTDS and comparing it to the working set (memory) used by the lsass.exe process, the process that caches the AD pages. It's not a direct correlation, because LSASS uses memory for its other functions (such as hosting Netlogon) but there will be a basic correlation. Because the percentage of memory used by LSASS for non AD caching becomes proportionally smaller, it gets easier to see the correlation the larger your NTDS.DIT database file becomes. If you have a 4 GB NTDS.DIT file and lsass.exe has a 2 GB working set, you can estimate that roughly half your database is cached into memory.
In my test environment, shown here, you can see that most likely my entire AD is cached.Related Reading:
- Q. What permissions do accounts used by failover clusters in Windows Server 2008 need?
- Q. How do you remove a read-only domain controller (RODC) from an environment that's been compromised?
- Q. Can I manage Windows Server 2008 Active Directory (AD) from a Windows XP client?
- Q: How can I change the default Active Directory (AD) location that’s used when no explicit location is specified for new user and computer accounts?
Check out hundreds more useful Q&As like this in John Savill's FAQ for Windows. Also, watch instructional videos made by John at ITTV.net.