Active Directory Database Size Monitoring: Building a Monitor

Adam Bertram

Adam Bertram

Read more posts by this author.

The Active Directory (AD) database is, by far, the most important piece of AD. After all, without the database, AD wouldn’t be much good at all. AD needs to be up and active 24 hours a day. It’s being depended on for many different services.

It’s important to monitor all aspects of AD and the database itself is of utmost importance. This is why it’s well worth the time to investigate what the database consists of and how best to monitor it to ensure it stays healthy.

In this article, we’re going to build a PowerShell script that allows you to see a query each AD database on every DC in your domain and determine one important metric about the database; the overall database size.

An AD database consists of a file called ntds.dit and is usually located in the C:\Windows\NTDS directory of every domain controller but doesn’t necessarily
have to be.

To ensure we get the proper path, we’ll first need to figure out where the database path is. This value is stored in the registry key HKLM:\System\CurrentControlSet\Services\NTDS\Parameters.

Let’s query all of the DCs in our environment for the database file path.

$dcs = (Get-ADDomainController).Name
$dbs = Invoke-Command -ComputerName $dcs -ScriptBlock {
    Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\NTDS\Parameters
} | Select PSComputerName,'DSA Database File'

Now that I know the path to the Active Directory database on each DC, I can now query each one of the current sizes. To do this, I’ll use a foreach loop and iterate through the $dbs variable I created above which contains the domain controller name and the path to the database file on each.

To more easily understand the output, I’m going to use an $output hashtable, assign values to it as I’m reading each database file like the domain controller name and the size of each database. I’ll then convert this to a custom object when I’m done reading the database file. This will show a nicer output than simply PSComputerName, DSA Database File and the size.

$dbs | foreach {
    $output = @{}
    $path = $_.'DSA Database File'
    $output.Add('DomainController', $_.PSComputerName)
    $size = Invoke-Command -ComputerName $_.PSComputerName -ScriptBlock {
        (Get-ItemProperty -Path $using:path).Length /1GB
    $output.Add('DatabaseSizeDB', $size)

This snippet will give you a nice output of DatabaseSizeDB and a DomainController property. In my demo environment, I only have a single DC. If you were running this in production, you’d see each of your domain controllers
along with the total database size in GB next to each one.

Now you have a script you can run at any time to get a point-in-time snapshot of just how big each of your Active Directory database files has grown to!

Subscribe to Adam the Automator

Get the latest posts delivered right to your inbox

Looks like you're offline!