Integrity check to Detect Low Level Active Directory Database Corruption

Active Directory maintains a multi-master database. like any other database there can be data corruptions, crashes, data lost etc. In my entire career, I still did not come across with a situation that a full database recovery is required in production environment. The reason is AD DS database is keep replicating to other available Domain Controllers and it is very rare that all the available Domain Controllers crash in same time and loose data.

By running integrity check, we can identify binary level AD database corruption. This comes as part of the Ntdsutil tool which use for Active Directory database maintenance. This go through every byte of the database file. The integrity command also checks if correct headers exist in the database itself and if all of the tables are functioning and consistent. This process also run as part of Active Directory Service Restore Mode (DRSM).

This check need to run with NTDS service off. 

In order to run integrity check,

1) Log in to Domain Controller as Domain/Enterprise Administrator

2) Open PowerShell as Administrator

3) Stop NTDS service using net stop ntds

4) Type 

 

ntdsutil

activate instance ntds

files

integrity

 

 

5) In order to exit from the utility type, quit.

6) it is also recommended to run Semantic database analysis to confirm the consistency of active directory database contents. 

7) In order to do it, 

 

ntdsutil

activate instance ntds

semantic database analysis

go

 

 

8) If its detected any integrity issues can type go fixup to fix the errors. 

9) After process is completed, type net start ntds to start the ntds service.

 

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.