
NTDS Object

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The NTDS object consists of counters that provide statistics about the activity of the Active Directory directory service. The object provides information about the following:

  • The Name Service Provider Interface (NSPI), used to facilitate communication between Active Directory and Exchange Directory Service (XDS)

  • The Local Security Authority (LSA), a protected subsystem that maintains security for the local computer

  • The Security Accounts Manager (SAM) interface, which provides compatibility between Windows Server 2003, Windows 2000, and Windows NT 4.0 domains

  • The Lightweight Directory Access Protocol (LDAP) interface, which provides the application programming interface (API) for LDAP clients and exposes the Active Directory Services Interface (ADSI) so additional applications may be written that can talk to Active Directory

  • The Directory System Agent (DSA), the Active Directory process that runs on each domain controller and manages all the directory service functions

  • The Knowledge Consistency Checker (KCC), an Active Directory component that is responsible for generating the replication topology between domain controllers

Counter Name Description Counter Type

AB ANR/sec

Shows the rate at which Address Book clients perform Ambiguous Name Resolutions (ANR) operations.


AB Browses/sec

Shows the rate at which Address Book clients perform browse operations.


AB Client Sessions

Shows the number of connected Address Book client sessions.


AB Matches/sec

Shows the rate at which Address Book clients perform find operations.


AB Property Reads/sec

Shows the rate at which Address Book clients perform property read operations.


AB Proxy Lookups/sec

Shows the rate at which proxy clients perform search operations.


AB Searches/sec

Shows the rate at which Address Book clients perform key search operations.


DRA Highest USN Committed (High part)

Shows the high-order 32 bits of the highest update sequence number (USN) committed on the DSA.


DRA Highest USN Committed (Low part)

Shows the low-order 32 bits of the highest USN committed on the DSA.


DRA Highest USN Issued (High part)

Shows the high-order 32 bits of the highest USN issued on the DSA.


DRA Highest USN Issued (Low part)

Shows the low-order 32 bits of the highest USN issued on the DSA.


DRA Inbound Bytes Compressed (Between Sites, After Compression)/sec

Shows the compressed size of inbound compressed replication data (size after compression, from DSAs in other sites).


DRA Inbound Bytes Compressed (Between Sites, Before Compression)/sec

Shows the original size of inbound compressed replication data (size before compression, from DSAs in other sites).


DRA Inbound Bytes Not Compressed (Within Site)/sec

Shows the number of incoming bytes replicated that were not compressed at the source (that is, from DSAs in the same site).


DRA Inbound Bytes Total/sec

Shows the total number of bytes replicated in. This counter is the sum of the number of uncompressed bytes (never compressed) and the number of compressed bytes (after compression).


DRA Inbound Full Sync Objects Remaining

Shows the number of objects remaining until the full synchronization is completed (when set).


DRA Inbound Object Updates Remaining in Packet

Shows the number of object updates received in the current directory replication update packet that have not yet been applied to the local server.


DRA Inbound Objects Applied/sec

Shows the rate at which replication updates received from replication partners are applied by the local directory service. This counter excludes changes that are received but not applied (because, for example, the change has already been made). This indicates how much replication update activity is occurring on the server as a result of changes generated on other servers.


DRA Inbound Objects Filtered/sec

Shows the number of objects received from inbound replication partners that contained no updates that needed to be applied.


DRA Inbound Objects/sec

Shows the number of objects received from neighbors through inbound replication. A neighbor is a domain controller from which the local domain controller replicates locally.


DRA Inbound Properties Applied/sec

Shows the number of properties that are updated due to the incoming property's winning the reconciliation logic that determines the final value to be replicated.


DRA Inbound Properties Filtered/sec

Shows the number of property changes that are received during the replication that we have already seen.


DRA Inbound Properties Total/sec

Shows the total number of object properties received from inbound replication partners.


DRA Inbound Values (DNs only)/sec

Shows the number of object property values received from inbound replication partners that are distinguished names (DNs) that reference other objects. DN values, such as group or distribution list memberships, are generally more expensive to apply than other kinds of values.


DRA Inbound Values Total/sec

Shows the total number of object property values received from inbound replication partners. Each inbound object has one or more properties, and each property has zero or more values. Zero values indicate property removal.


DRA Outbound Bytes Compressed (Between Sites, After Compression)/sec

Shows the compressed size of outbound compressed replication data (size after compression, from DSAs in other sites).


DRA Outbound Bytes Compressed (Between Sites, Before Compression)/sec

Shows the original size of outbound compressed replication data (size before compression, from DSAs in other sites).


DRA Outbound Bytes Not Compressed (Within Site)/sec

Shows the number of bytes replicated out that were not compressed (that is, from DSAs in the same site).


DRA Outbound Bytes Total/sec

Shows the total number of bytes replicated out. This counter is the sum of the number of uncompressed bytes (never compressed) and the number of compressed bytes (after compression).


DRA Outbound Objects Filtered/sec

Shows the number of objects that were determined by outbound replication to have no updates that the outbound partner did not already have.


DRA Outbound Objects/sec

Shows the number of objects replicated out.


DRA Outbound Properties/sec

Shows the number of properties replicated out.


DRA Outbound Values (DNs only)/sec

Shows the number of object property values containing DNs sent to outbound replication partners. DN values, such as group or distribution list memberships, are generally more expensive to read than other kinds of values.


DRA Outbound Values Total/sec

Shows the number of object property values sent to outbound replication partners.


DRA Pending Replication Synchronizations

Shows the number of directory synchronizations that are queued for this server but not yet processed.


DRA Reads

Shows the percentage of directory reads coming from the directory replication agent (DRA).


DRA Searches

Shows the percentage of directory searches coming from the DRA.


DRA Sync Failures on Schema Mismatch

Shows the number of synchronization requests made to neighbors that failed because their schema are not synchronized.


DRA Sync Requests Made

Shows the number of synchronization requests made to neighbors.


DRA Sync Requests Successful

Shows the number of synchronization requests made to neighbors that were successfully returned.


DRA Writes

Shows the percentage of directory writes coming from the DRA.


DS Client Binds/sec

Shows the number of Ntdsapi.dll binds per second serviced by this domain controller.


DS Client Name Translations/sec

Shows the number of Ntdsapi.dll name translations per second serviced by this domain controller.


DS Directory Reads/sec

Shows the number of directory reads per second.


DS Directory Searches/sec

Shows the number of directory searches per second.


DS Directory Writes/sec

Shows the number of directory writes per second.


DS Monitor List Size

Shows the number of requests to be notified when objects are updated that are currently registered with this DSA.


DS Name Cache hit rate

Shows the percentage of directory object name component lookups that are satisfied out of the DSA's name cache.


DS Notify Queue Size

Shows the number of pending update notifications that have been queued but not yet transmitted to clients.


DS Other Reads

Shows the percentage of directory reads that do not come from SAM, DRA, LDAP, LSA, XDS, KCC, or NSPI.


DS Other Searches

Shows the percentage of directory searches that do not come from SAM, DRA, LDAP, LSA, XDS, KCC, or NSPI.


DS Other Writes

Shows the percentage of directory writes that do not come from SAM, DRA, LDAP, LSA, XDS, KCC, or NSPI.


DS Search sub-operations/sec

Shows the number of search suboperations per second. One search operation is made up of many suboperations. Each suboperation roughly corresponds to an object that the search causes the directory service to consider.


DS Security Descriptor Propagations Events

Shows the number of security descriptor propagation events that are queued but not yet processed.


DS Security Descriptor Propagator Average Exclusion Time

Shows the average length of time that the security descriptor propagator spends waiting for exclusive access to database elements during a security descriptor propagation suboperation.


DS Security Descriptor Propagator Runtime Queue

Shows the number of objects that remain to be examined while the current directory service security descriptor propagator event is being processed.


DS Security Descriptor sub-operations/sec

Shows the number of security descriptor propagation suboperations per second. One security descriptor propagation operation is made up of many suboperations.


DS Server Binds/sec

Shows the number of domain controller–to–domain controller binds per second that are serviced by this domain controller.


DS Server Name Translations/sec

Shows the number of domain controller–to–domain controller name translations per second that are serviced by this domain controller.


DS Threads in Use

Shows the current number of threads in use by the directory service (which is different from the number of threads in the directory service process). This is the number of threads currently servicing client API calls; it can be used to indicate whether additional processors should be used.


KCC Reads

Shows the percentage of directory reads that come from KCC.


KCC Searches

Shows the percentage of directory searches that come from KCC.


KCC Writes

Shows the percentage of directory writes that come from KCC.


KDC AS Requests

Shows the number of Authentication Server (AS) requests serviced by the Kerberos Key Distribution Center (KDC) per second. AS requests are used by the client to obtain a ticket-granting ticket.


KDC TGS Requests

Shows the number of Ticket Granting Server (TGS) requests serviced by the KDC per second. TGS requests are used by the client to obtain a ticket to a resource.


Kerberos Authentications

Shows the number of times per second that clients use a ticket to this domain controller to authenticate to this domain controller.


LDAP Active Threads

Shows the current number of threads in use by the LDAP subsystem of the local directory service.


LDAP Bind Time

Shows the time, in milliseconds, taken for the last successful LDAP bind.


LDAP Client Sessions

Shows the number of currently connected LDAP client sessions.


LDAP Searches

Shows the percentage of directory searches coming from LDAP.


LDAP Searches/sec

Shows the rate at which LDAP clients perform search operations.


LDAP Successful Binds

Shows the percentage of LDAP bind attempts that are successful.


LDAP Successful Binds/sec

Shows the number of LDAP binds per second.


LDAP UDP operations/sec

Shows the number of User Datagram Protocol (UDP) operations that the LDAP server is processing per second.


LDAP Writes

Shows the percentage of directory writes coming from LDAP.


LDAP Writes/sec

Shows the rate at which LDAP clients perform write operations.


LSA Reads

Shows the percentage of directory reads that come from LSA.


LSA Searches

Shows the percentage of directory searches that come from LSA.


LSA Writes

Shows the percentage of directory writes that come from LSA.


NSPI Reads

Shows the percentage of directory reads that come from NSPI.


NSPI Searches

Shows the percentage of directory searches that come from NSPI.


NSPI Writes

Shows the percentage of directory writes that come from NSPI.


NTLM Authentications

Shows the number of NTLM authentications per second serviced by this domain controller.


SAM Account Group Membership Evaluations/sec

Shows the number of SAM Account Group Membership Evaluations per second.


SAM Create Machine Attempts/sec

Shows the number of SAM create machine attempts per second.


SAM Create User Attempts/sec

Shows the number of SAM create-user attempts per second.


SAM Enumerations/sec

Shows the number of SAM enumerations per second.


SAM GC Evaluations/sec

Shows the number of SAM global catalog evaluations per second.


SAM Membership Changes/sec

Shows the number of SAM membership changes.


SAM Non-Transitive Membership Evaluations/sec

Shows the number of SAM nontransitive membership evaluations per second.


SAM Password Changes/sec

Shows the number of SAM password changes per second.


SAM Query Displays/sec

Shows the number of SAM query displays per second.


SAM Reads

Shows the percentage of directory reads that come from SAM.


SAM Resource Group Membership Evaluations/sec

Shows the number of SAM resource group membership evaluations per second.


SAM Searches

Shows the percentage of directory searches that come from SAM.


SAM Successful Create Machines/sec

Shows the number of machines that were successfully created per second.


SAM Successful Create Users/sec

Shows the number of users that were successfully created per second.


SAM Transitive Membership Evaluations/sec

Shows the number of SAM transitive membership evaluations per second.


SAM Universal Group Membership Evaluations/sec

Shows the number of SAM universal group membership evaluations per second.


SAM Writes

Shows the percentage of directory writes that come from SAM.


XDS Client Sessions

Shows the number of connected XDS client sessions. This indicates the number of connections from other Windows Server 2003 services and the Exchange Administrator program.


XDS Reads

Shows the percentage of directory reads that come from XDS.


XDS Searches

Shows the percentage of directory searches that come from XDS.


XDS Writes

Shows the percentage of directory writes that come from XDS.