Diberdayakan oleh Blogger.

Windows Server 2012 - Active Directory - NTDSUTIL, part 1

The NTDSUTIL tool can be used for various operations concerning Active Directory and the ntds.dit database. Some of the more familiar uses are transferring - or seizing - FSMO roles and restoring Active Directory objects.
Based on experiences with the ESEUTIL tool used on Exchange databases, I wanted to learn more about maintenance of the ntds.dit database with NTDSUTIL.
After some research and consultation, it looks like executing the commands that follow are usually not part of a scheduled maintenance plan. In general, the Active Directory database is rather robust and errors are not common. When they do occur, it is most often due to hardware errors such as bad blocks on a disk or perhaps improper shutdown.
In comparison, I encountered "SLINK" (Event ID 1025) errors in Exchange from time to time and was advised to run the following command:

Isinteg -test -alltests

If there were warnings or errors, we would attempt to resolve them with this command:

Isinteg -fix -test -alltests

I would also test database integrity with eseutil /g

The database would have to be indicated in either case but since that is not the subject of this post, I'm not going to provide all the details. The subject has been discussed more than once in the Exchange TechNet forums:

Error on database - EventID 1025 SLINK::ecupdate

So... how could we verify the health of the Active Directory ntds.dit database?

NTDSUTIL - general observations

If we have not used the NTDSUTIL tool since Windows 2003, the syntax (that changed with Windows 2008 already) may confuse us.
What if I want to verify the checksum of the ntds.dit database? I'll present that in just a moment but for now, let's simply attempt to run the command:

PS C:\> ntdsutil
C:\Windows\system32\ntdsutil.exe: files
Active Instance not set. To set an active instance use "Activate Instance ".
C:\Windows\system32\ntdsutil.exe: activate instance ntds
Active instance set to "ntds".
C:\Windows\system32\ntdsutil.exe: files
Service "NTDS" is running. Stop the service before binding to this Active Directory database.


Here we encounter two obstacles (highlighted in red above).

First, since Windows 2008, we have to "activate" an "instance" of ntds before we can execute any commands.

Second, as with Windows 2003 (and 2000), we cannot run NTDSUTIL against an active database (except to change the Directory Service Restore Mode  password - we'll see that later). But, unlike with Windows 2003, at least we no longer need to boot into DSRM. We can stop and start Active Directory, and more precisely the NTDS service, without restarting the entire server.

For years, I would use the following combination to stop and start services (NTDS in this case):

net stop ntds
net start ntds

These commands function but there are some obstacles:

PS C:\> net stop ntds

The following services are dependent on the Active Directory Domain Services service.
Stopping the Active Directory Domain Services service will also stop these services.

   Kerberos Key Distribution Center
   Intersite Messaging
   DNS Server
   DFS Replication

Do you want to continue this operation? (Y/N) [N]: Y

The Kerberos Key Distribution Center service was stopped successfully.
The Intersite Messaging service is stopping.
The Intersite Messaging service was stopped successfully.

The DNS Server service is stopping.
The DNS Server service was stopped successfully.

.The DFS Replication service was stopped successfully.
The Active Directory Domain Services service is stopping.
The Active Directory Domain Services service was stopped successfully.

After running the NTDSUTIL commands (that we'll see in a second - I promise!), we would have to restart the Active Directory Domain Services:

PS C:\> net start ntds

The Active Directory Domain Services service is starting...
The Active Directory Domain Services service was started successfully.


But what about the other services that were stopped?

Apparently, they are restarted when the NTDS service is restarted - which I was not sure would be the case. What follows is a "snip" from the output of the Get-Service cmdlet:

Running  DFSR               DFS Replication
Running  DNS                DNS Server
Running  IsmServ            Intersite Messaging
Running  Kdc                Kerberos Key Distribution Center

But since we are at Windows 2012 and the recommendation is to use Powershell, let's use these cmdlets to stop and (re)start services:

PS C:\> stop-service ntds

stop-service : Cannot stop service 'Active Directory Domain Services (ntds)' because it has dependent services. It can only be stopped if the Force flag is set. [...]

So we have to force shutdown with the... -force flag.

PS C:\> stop-service ntds -force

Now - finally - we are ready to try some NTDSUTIL commands

NTDSUTIL - files

The following command verifies the "checksum" of the database:

PS C:\> ntdsutil
C:\Windows\system32\ntdsutil.exe: activate instance ntds
Active instance set to "ntds".
C:\Windows\system32\ntdsutil.exe: files
file maintenance: checksum
Doing checksum validation for db: C:\Windows\NTDS\ntds.dit.

File: C:\Windows\NTDS\ntds.dit
                     Checksum Status (% complete)
          0    10   20   30   40   50   60   70   80   90  100

3074 pages seen.
0 bad checksums.
0 correctable checksums
905 uninitialized pages.
0 wrong page numbers.

As we can see, the database is just fine at this level.


There is another command that checks the "integrity" of the database. But first, Microsoft documentation states that before running the integrity command (below) we should run the "ntdsutil files recover" command. This commands "ensures all committed transactions [...] are reflected in the data file."

 Since we are still in "ntdsutil, files" , we can simply enter the command as follows:
file maintenance: recover
Initiating RECOVERY mode...
          Log files: C:\Windows\NTDS.
         System files: C:\Windows\NTDS.
Performing soft recovery...
Database recovery is successful.
It is recommended you run semantic database analysis
to ensure semantic database consistency as well.


So we have not yet run the integrity check and NTDSUTIL suggests yet another test. We'll look at that in a moment. For now, let's check database "integrity" - or consistency-  with the following command:

file maintenance: integrity
Doing Integrity Check for db: C:\Windows\NTDS\ntds.dit.
Checking database integrity.

                     Scanning  Status (% complete)
          0    10   20   30   40   50   60   70   80   90  100

Integrity check successful.

It is recommended you run semantic database analysis
to ensure semantic database consistency as well.


Some notes...
  • This test scans the entire ntds.dit file, the database as a whole, so, if it is large, it can take some time, possibly 2 GB / hour.
  • It looks for binary corruption at a "low level".
  • It may be the equivalent of eseutil /g in Exchange (?)
  • Once again, it is recommended to run the "semantic database analysis" command, so with no further ado, we'll do just that:

C:\Windows\system32\ntdsutil.exe: semantic database analysis
semantic checker: go
Fixup mode is turned off

Writing summary into log file dsdit.dmp.0
SDs scanned:            123
Records scanned:       3806
Processing records..Done. Elapsed time 0 seconds.


Yes, after we enter "semantic database analysis" we have to enter go at the "semantic checker" prompt. The reader may have noted that there is not much data to be analyzed. That is correct. This is a test domain controller with very few objects in the ntds.dit database.
If errors are indicated, we can attempt to repair them with the "go fixup" command. And yes, we would enter that exactly where we entered the "go" above.


Here ends my first blog post about the NTDSUTIL tool. In part 2, I'll look at some other uses of the tool: resetting the DSRM password, checking for duplicate SIDs and offline defragmentation.


NTDSUTIL Files commands

Thank you for reading the article about Windows Server 2012 - Active Directory - NTDSUTIL, part 1 on the blog NEW TECH If you want to disseminate this article on please list the link as the source, and if this article was helpful please bookmark this page in your web browser by pressing Ctrl + D on your keyboard keys.

New articles :