How to check AD database integrity?

Here are best practices to check your AD database (on Windows Server 2008 R2 or greater) for any errors and attempt to fix (some of) them. Note: Running this before creating an IFM media set is highly recommended since it will identify AD database errors.

First stop the “Active Directory Domain Services” service and related services (intersite messaging, dfs replication, kdc)

Write-Output “Checking the NTDS database for errors (semantic database analysis)  `r “
Stop-Service ntds -force

#The following command verifies the “checksum” of the database:

PS C:\> ntdsutil
C:\Windows\system32\ntdsutil.exe: activate instance ntds
Active instance set to “ntds”.
C:\Windows\system32\ntdsutil.exe: files
file maintenance: checksum
Doing checksum validation for db: D:\NTDS\ntds.dit.

File: D:\NTDS\ntds.dit
Checksum Status (% complete)
0    10   20   30   40   50   60   70   80   90  100
|—-|—-|—-|—-|—-|—-|—-|—-|—-|—-|
……………………………………………

3074 pages seen.
0 bad checksums.
0 correctable checksums
905 uninitialized pages.
0 wrong page numbers.
[…]

#There is another command that checks the “integrity” of the database. But first, Microsoft documentation states that before running the integrity command (below) #we should run the “ntdsutil files recover” command. This commands “ensures all committed transactions […] are reflected in the data file.”

#Since we are still in “ntdsutil, files” , we can simply enter the command as follows:

file maintenance: recover
Initiating RECOVERY mode…
Log files: D:\NTDS.
System files: D:\NTDS.
Performing soft recovery…
Database recovery is successful.
# So we have not yet run the integrity check and NTDSUTIL suggests yet another test. We’ll look at that in a moment. For now, let’s check database “integrity” – or consistency-  with the following command:

file maintenance: integrity
Doing Integrity Check for db: D:\NTDS\ntds.dit.
Checking database integrity.

Scanning  Status (% complete)
0    10   20   30   40   50   60   70   80   90  100
|—-|—-|—-|—-|—-|—-|—-|—-|—-|—-|
……………………………………………

Some notes…

  • This test scans the entire ntds.dit file, the database as a whole, so, if it is large, it can take some time, possibly 2 GB / hour.
  • It looks for binary corruption at a “low level”.
  • Once again, it is recommended to run the “semantic database analysis” command, so with no further ado, we’ll do just that:

C:\Windows\system32\ntdsutil.exe: semantic database analysis
semantic checker: go
Fixup mode is turned off
……Done.

Writing summary into log file dsdit.dmp.0
SDs scanned:            123
Records scanned:       3806
Processing records..Done. Elapsed time 0 seconds.

Yes, after we enter “semantic database analysis” we have to enter go at the “semantic checker” prompt. The reader may have noted that there is not much data to be analyzed. That is correct. This is a test domain controller with very few objects in the ntds.dit database.
If errors are indicated, we can attempt to repair them with the “go fixup” (replacing “Go” with “Go Fixup”) command. And yes, we would enter that exactly where we entered the “go” above.
Script:

$dbChecker = ntdsutil “activate instance ntds”  “verbose on”  “semantic database analysis” “Go” q q

OR

$dbChecker = ntdsutil “activate instance ntds” “verbose on” “semantic database analysis” “Go Fixup” q q

Finally restart the “Active Directory Domain Services” (verify if the “dfs replication”,”intersite messaging”,”kdc” services are restarted too)

Start-Service ntds
Write-Output “Results of Active Directory database integrity check: `r “
$dbChecker

Web resources: