Recipe 16.7 Checking the DIT File s Integrity

Recipe 16.7 Checking the DIT File's Integrity

16.7.1 Problem

You want to check the integrity and semantics of the DIT file to verify there is no corruption or bad entries.

16.7.2 Solution

16.7.2.1 Using a command-line interface

First, reboot into Directory Services Restore Mode. Then run the following commands:

> ntdsutil files integrity q q > ntdsutil "semantic database analysis" "verbose on" go

16.7.3 Discussion

The Active Directory DIT file (ntds.dit) is implemented as a transactional database. Microsoft uses the ESE database (formerly called Jet) for Active Directory, which has been used for years in other products, such as Microsoft Exchange.

Since the Active Directory DIT ultimately is a database, it can suffer from many of the same issues that traditional databases do. The ntdsutil integrity command checks for any low-level database corruption and ensures that the database headers are correct and the tables are in a consistent state. It reads every byte of the database and can take quite a while to complete depending on how large your DIT file is. The time it takes is also greatly dependent on your hardware, but some early estimates from Microsoft for Windows 2000 put the rate at 2 GB an hour.

Whereas the ntdsutil integrity command verifies the overall structure and health of the database, the ntdsutil semantics command looks at the contents of the database. It will verify, among other things, reference counts, replication metadata, and security descriptors. If any errors are reported back, you can run go fixup to attempt to correct them. You should have a recent backup handy before doing this because in the worst case the corruption cannot be fixed or may become worse after the go fixup command completes.

16.7.4 See Also

Recipe 16.2 for booting into Directory Services Restore Mode and MS KB 315136 (HOW TO: Complete a Semantic Database Analysis for the Active Directory Database by Using Ntdsutil.exe)