Recipe 16.7 Checking the DIT File's Integrity
You want to check the integrity and semantics of the DIT file to verify there is no corruption or bad entries.
220.127.116.11 Using a command-line interface
First, reboot into Directory Services Restore Mode. Then run the following commands:
> ntdsutil files integrity q q > ntdsutil "semantic database analysis" "verbose on" go
The Active Directory DIT file (ntds.dit) is implemented as a transactional database. Microsoft uses the ESE database (formerly called Jet) for Active Directory, which has been used for years in other products, such as Microsoft Exchange.
Since the Active Directory DIT ultimately is a database, it can suffer from many of the same issues that traditional databases do. The ntdsutil integrity command checks for any low-level database corruption and ensures that the database headers are correct and the tables are in a consistent state. It reads every byte of the database and can take quite a while to complete depending on how large your DIT file is. The time it takes is also greatly dependent on your hardware, but some early estimates from Microsoft for Windows 2000 put the rate at 2 GB an hour.
Whereas the ntdsutil integrity command verifies the overall structure and health of the database, the ntdsutil semantics command looks at the contents of the database. It will verify, among other things, reference counts, replication metadata, and security descriptors. If any errors are reported back, you can run go fixup to attempt to correct them. You should have a recent backup handy before doing this because in the worst case the corruption cannot be fixed or may become worse after the go fixup command completes.
16.7.4 See Also
Recipe 16.2 for booting into Directory Services Restore Mode and MS KB 315136 (HOW TO: Complete a Semantic Database Analysis for the Active Directory Database by Using Ntdsutil.exe)