Active Directory Database: PowerShell Monitoring Made Easy

Published:30 January 2024 - 1 min. read

The Active Directory database is, by far, the most important piece of AD. After all, without the database, AD wouldn’t be much good at all. Where is the Active Directory database? Where is the ntds.dit location? And how to o you monitor the database? You’ll learn the answer to these questions in this tutorial!

It’s important to monitor all aspects of AD and the database itself is of utmost importance. This is why it’s well worth the time to investigate what the database consists of and how best to monitor it to ensure it stays healthy.

Active Directory Database

In this article, we’re going to build a PowerShell script that allows you to see a query each AD database on every DC in your domain and determine one important metric about the database; the overall database size.

Ntds.dit (The Active Directory Database)

An AD database consists of a file called ntds.dit and the ntds.dit location is usually in C:\Windows\NTDS of every domain controller.

To ensure we get the proper path, we’ll first need to figure out where the database path is. This value is stored in the registry key HKLM:\System\CurrentControlSet\Services\NTDS\Parameters.

Finding the AD Database with PowerShell

Let’s query all of the DCs in our environment for the database file path.

$dcs = (Get-ADDomainController).Name
$dbs = Invoke-Command -ComputerName $dcs -ScriptBlock {
    Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\NTDS\Parameters
} | Select PSComputerName,'DSA Database File'

Now that I know the path to the Active Directory database on each DC, I can now query each one of the current sizes. To do this, I’ll use a foreach loop and iterate through the $dbs variable I created above which contains the domain controller name and the path to the database file on each.

Monitoring the Size of the AD Database

To more easily understand the output, I’m going to use an $output hashtable, assign values to it as I’m reading each database file like the domain controller name and the size of each database. I’ll then convert this to a custom object when I’m done reading the database file. This will show a nicer output than simply PSComputerName, DSA Database File and the size.

$dbs | foreach {
    $output = @{}
    $path = $_.'DSA Database File'
    $output.Add('DomainController', $_.PSComputerName)
    $size = Invoke-Command -ComputerName $_.PSComputerName -ScriptBlock {
        (Get-ItemProperty -Path $using:path).Length /1GB
    }
    $output.Add('DatabaseSizeDB', $size)
    [pscustomobject]$output
}

This snippet will give you a nice output of DatabaseSizeDB and a DomainController property. In my demo environment, I only have a single DC. If you were running this in production, you’d see each of your domain controllers
along with the total database size in GB next to each one.

Now you have a script you can run at any time to get a point-in-time snapshot of just how big each of your Active Directory database files has grown to!

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!