Using NTDSUtil for Active Directory Database Troubleshooting and Repair

The Active Directory database is the same type of database that is used within applications such as Microsoft Exchange Server. If you are familiar with the utilities used with an Exchange server, you should be familiar with some of the utilities used with Active Directory. A benefit of using NTD-SUtil is that the cryptic commands needed to manage the Exchange databases are encapsulated into easier-to-understand commands.

Upcoming chapters will introduce some of the other utilities, such as dsastat and dcdiag; however, for now let's concentrate on the tool that is used to manage the consistency of the Active Directory database—NTDSUtil. Using this tool, you can perform the following actions:

♦ Check database integrity

♦ Recover the database

♦ Compact the database

♦ Move the database

♦ Remove orphaned objects

♦ Maintain security accounts

In the following sections, we detail the steps required to perform each of these actions. Although you'll rarely have to perform most of these actions, you should understand when and how to use NTDSUtil to perform each one.

The NTDSUtil utility is included on Windows domain controllers. There are very few differences between the versions of NTDSUtil that ship with Windows Server (2000, 2003, and 2008), so most of what is presented within this chapter applies to any of your domain controllers. We will point out the differences as we go along.

Committing Transactions to the Database

Because of the nature of the Extensible Storage Engine (ESE) database, all the transactions are processed in memory and written to log files before they are committed to the database on the hard drive. If the server were to fail, the transaction logs would still contain all the information necessary to bring the database back to a consistent state.

Before performing most of the actions detailed here, commit the transactions to the database; this is also known as performing a recovery procedure. Just follow these steps:

1. When starting the computer, press F8 to enter the Startup Selection screen.

2. Select Directory Services Restore Mode.

3. Once you log on with the Directory Services Restore Mode Administrator account, open a command prompt.

4. At the command prompt, type ntdsutil and press Enter.

5. From the ntdsutil: prompt, type Files and press Enter.

6. From the file maintenance: prompt, type Recover and press Enter.

As shown in Figure 14.3, the screen will display information about what is taking place as the recovery is running. After the recovery is complete, the database will be consistent and you will be able to run other utilities as necessary.

Figure 14.3

NTDSUtil is used to commit the transactions to the database.

frv ¡Command Prompt - ntdsutil

^jnjxj

Microsoft Windows CUersion 5.2.3790] <C> Copyright 1985-2003 Microsoft Corp.

d

D:\Documents and SettingsSAdministrator>ntdsutil ntdsutil: files file maintenance: recover

Executing Command: D:SUIND0US\system32\esentutl.exe "D:\WINDOUS\NIDS" /8 /o

✓redb /1"»:\UIND0US\NTDS" /s

Initiating PECOUEHV mode... Logfile base name: edb

Log files: D:\UINDOUS\NTDS System files: D:\WINDOUS\NTDS

Performing soft recovery...

Operation completed successfully in 2.94 seconds.

Spawned Process Exit code 0x0<0)

If recovery was successful, it is recommended you run semantic database analysis to ensure semantic database consistency as well.

file maintenance:

If errors crop up while you're running the recovery on a Windows 2000-based domain controller, and the recovery option does not repair them, you may need to repair the database. Exercise caution before you run this command against your database, because you could lose data in the process.

Make sure you have a good backup of your domain controller. You might want to contact Microsoft Product Support Services to make sure that you have covered all your bases; they may have another option for you to try before you run a repair.

Once you are committed to running the repair process, follow these steps:

1. When starting the computer, press F8 to enter the Startup Selection screen.

2. Select Directory Services Restore Mode.

3. Once you log on with the Directory Services Restore Mode Administrator account, open a command prompt.

4. At the command prompt, type ntdsutil and press Enter.

5. From the ntdsutil: prompt, type Files and press Enter.

6. From the file maintenance: prompt, type Repair and press Enter.

Checking Database Integrity

When you are checking the integrity of the database, every single byte of data within the database is analyzed for corruption. This procedure can take a great deal of time if your database is large. This is not something you should do just because you want to see what happens. Before starting an integrity check, make sure you have performed the recovery procedure as detailed previously. The steps to perform an integrity check are as follows:

1. When starting the computer, press F8 to enter the Startup Selection screen.

2. Select Directory Services Restore Mode.

3. Once you log on with the Directory Services Restore Mode Administrator account, open a command prompt.

4. At the command prompt, type ntdsutil and press Enter.

5. From the ntdsutil: prompt, type Files and press Enter.

6. From the file maintenance: prompt, type integrity and press Enter.

As you can see in Figure 14.4, the utility will perform the check against the database. If any errors are reported, contact Microsoft Product Support Services to determine how you should proceed.

Figure 14.4

NTDSUtil integrity check

[pT] Command Prompt - ntdsutil

-lolxl

D:\Documents and Settings\Adninistrator>ntdsutil ntdsutil: files file maintenance: integrity

Opening database [Current].

Executing Command: D:SWIND0US\system32\esentutl.exe /a

✓g"D:\UINDOUS\NTDSXntds.dit"

Initiating INTEGRITV mode...

Database : D:\UINDOUS\NTDS\ntds.dit Temp. Database: TEMPINTEG244.EDB

Checking database integrity•

Scanning Status <•/. complete)

0 10 20 30 40 50 60 70 8

0 90 100

Integrity check successful.

Operation completed successfully in 15.657 seconds.

Spawned Process Exit code 0x0(0)

If integrity Mas successful, it is recommended you run semantic database analysis to ensure semantic database consistency as well.

f ile maintenance : _

Compacting the Database

During normal operations, the Active Directory database will not need to be compacted. Every domain controller will perform its own garbage collection every 12 hours by default. During this garbage collection, the database will be defragmented, but the database size will not be reduced. This usually does not present a problem, because databases tend to grow over time to take up the additional free space.

With that being said, there are times when you may want to recover disk space with an offline defragmentation and compaction. If you have just deleted a large number of objects from Active Directory, have removed the Global Catalog role from a domain controller, or have just moved several accounts to another domain, you may want to reduce the size of your database.

To log an event to the Directory Services event log that will tell you the amount of space that you can free up during an offline defragmentation, you can change the registry entry at HKEY_LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics\Garbage Collection to a value of 1.

To compact your database, follow these steps:

1. When starting the computer, press F8 to enter the Startup Selection screen.

2. Select Directory Services Restore Mode.

3. Once you log on with the Directory Services Restore Mode Administrator account, create an empty directory to store the new compacted database.

4. Open a command prompt.

5. At the command prompt, type ntdsutil and press Enter.

6. From the ntdsutil: prompt, type Files and press Enter.

7. From the file maintenance: prompt, type compact and press Enter.

After the compact command finishes, copy the new compacted database file, ntds.dit, to the location of the original database file. The utility will let you know where to copy the database if you are unsure, as seen in Figure 14.5.

You should also delete the old log files that were associated with the original bloated database file. Again, if you are unsure of the location of the log files, the compact utility will let you know where they are located.

Figure 14.5

NTDSUtil after moving the database

Moving the Database

As databases age, they tend to grow. Even with our best intentions and attempts to create partitions and volumes large enough to hold databases, sometimes they grow too large. There are also times when you may want to take a database off a spindle that shows signs of having problems. Being proactive and moving the database to another drive may save you headaches later on.

To move the database, follow these steps:

1. When starting the computer, press F8 to enter the Startup Selection screen.

2. Select Directory Services Restore Mode.

3. Once you log on with the Directory Services Restore Mode Administrator account, open a command prompt.

4. At the command prompt, type ntdsutil and press Enter.

5. At the ntdsutil: prompt, type Files and press Enter.

6. At the file maintenance: prompt, type move DB to <directory> and press Enter. The <directory> can be any location on a partition or volume that has enough space to hold the database and that, preferably, has room for the database to continue growing. If the directory to which you are moving the database does not already exist, the utility will create it for you.

The utility will also configure the system to use the new location so that you do not have to perform any other steps to tell the operating system where to locate the database. However, you should perform a backup of the domain controller after moving the database so that your backup files reflect the new location of the database.

Moving the Log Files

The same issues hold true for the transaction log files that affect the database. You may not have enough room on a partition or volume to hold the logs; more than likely, however, you either will have a failing drive or you will simply want to separate the transaction log files and the database. As a matter of fact, I recommend that you move the transaction logs off the physical disk where the database files are. Place them on their own physical disk so that they do not have to compete for disk time with any other service. Once you do so, the system will perform better.

The steps to move the transaction logs are basically the same as those to move the database:

1. When starting the computer, press F8 to enter the Startup Selection screen.

2. Select Directory Services Restore Mode.

3. Once you log on with the Directory Services Restore Mode Administrator account, open a command prompt.

4. At the command prompt, type ntdsutil and press Enter.

5. At the ntdsutil: prompt, type Files and press Enter.

6. At the file maintenance: prompt, type move logs to <directory> and press Enter.

Again, <directory> does not have to exist before you take these steps; the system will create the directory for you. You should back up the system after performing the move so that the files can be restored if necessary.

Removing Orphaned Objects

Typically, when you decommission a domain controller the entries for the domain controller are removed from the database. The same holds true when you remove the last domain controller from a domain. If you select the check box that identifies the domain controller as the last one for the domain, all of the metadata for the domain will be removed from all the other domain controllers within the forest.

Removing Orphaned Domain Metadata

In a perfect world, you would not have to concern yourself with the metadata stored in the database— but as we know, nothing is perfect. You may encounter instances when the metadata for domain controllers or domains is not removed from the database correctly. This could be because a domain controller was demoted unsuccessfully or because a domain controller failed and you cannot restore it. In such an instance, services might try to connect to domain controllers that they think still exist. This can cause problems with replication as well as with the Knowledge Consistency Checker (KCC). To remove a domain's orphaned metadata, follow these steps:

1. Log on to the domain using an account that is a member of the Enterprise Admins group.

2. Make sure that all the domain controllers have been demoted or taken offline. Also, verify that all of the remaining domain controllers within the forest have replicated successfully.

3. Identify the domain controller that holds the Domain Naming Master Operations role. You can do this by opening Active Directory Domains and Trusts, right-clicking on the root node, and selecting Operations Master. You will find the Domain Naming Master domain controller within the Current Operations Master box.

4. Open a command prompt, type ntdsutil, and press Enter.

5. At the ntdsutil: prompt, type metadata cleanup and press Enter.

6. At the metadata cleanup: prompt, type connections and press Enter.

7. Type connect to server servernamewhere servername is the name of the domain controller holding the Domain Naming Master Operations role.

(If you have not logged on using an account that is a member of the Enterprise Admins group, you can set your credentials at this point by typing set creds domainname username password and then pressing Enter.)

8. Once you have received confirmation that the connection has been made, type quit and press Enter.

9. Type select operation target and press Enter.

10. Type list domains and press Enter.

11. From the list of domains that appears, locate the domain from which you want to remove the metadata, and the number with which that domain is associated.

12. Type select domain number and press Enter.

13. Type quit and press Enter.

14. Type remove selected domain and press Enter.

15. Once you receive confirmation that the domain metadata have been removed, type quit and press Enter.

Once you receive confirmation that the connection to the Domain Naming Master has been disconnected, type quit and press Enter.

Removing Orphaned Domain Controller Metadata

To remove Domain Controller metadata, you begin by using the same method you used to remove the domain; however, you need to remove additional data with other utilities to complete the removal. After running NTDSUtil, you have to remove the computer account, the File Replication Service (FRS) member, and the trustDomain object using ADSI Edit. The DNS entries using the DNS snap-in and the domain controller object within Active Directory Sites and Services will also need to be removed. The steps for all these procedures are given in the following sections.

We will start with Metadata Cleanup. To remove domain controller metadata, follow these steps from the NTDSUtil command-line utility:

1. Log on to the domain using an account that is a member of the Enterprise Admins group.

2. Verify that all the domain controllers within the forest have replicated successfully.

3. Open a command prompt, type ntdsutil, and press Enter.

4. At the ntdsutil: prompt, type metadata cleanup and press Enter.

5. At the metadata cleanup: prompt, type connections and press Enter.

6. Type connect to server servername, where servernameis the name of the domain controller holding the Domain Naming Master Operations role.

(If you have not logged on using an account that is a member of the Enterprise Admins group, you can set your credentials at this point by typing set creds domainname username password and then pressing Enter.)

7. Once you have received confirmation that the connection has been made, type quit and press Enter.

8. Type select operation target and press Enter.

9. Type list domains and press Enter.

10. From the list of domains that appears, locate the domain of which the domain controller is a member, and note the number associated with the domain.

11. Type select domain number and press Enter.

12. Type list sites and press Enter.

13. From the list of sites that appears, locate the site of which the domain controller is a member and note the number associated with the site.

14. Type select site number and press Enter.

15. Type list servers in site and press Enter.

16. From the list of domain controllers that appears, locate the domain controller and note the number associated with it.

17. Type select server number and press Enter.

Type quit and press Enter.

19. Type remove selected server and press Enter.

20. Once you receive confirmation that the domain metadata have been removed, type quit and press Enter.

21. Once you receive confirmation that the connection has been disconnected, type quit and press Enter.

Maintain Security Accounts

You can use the security account management option in NTDSUtil to perform tasks against security accounts. The tasks you can perform include checking for duplicate security identifiers (SIDs) or cleaning up duplicate SIDs.

To check for duplicate SIDs on the domain, follow these steps from the NTDSUtil command-line utility:

1. Log on to the domain using an account that is a member of the Enterprise Admins group.

2. Verify that all the domain controllers within the forest have replicated successfully.

3. Open a command prompt, type ntdsutil, and press Enter.

4. At the ntdsutil: prompt, type security account management and press Enter.

5. At the security account maintenance: prompt, type connect to server ServerName and press Enter.

6. Type check duplicate sid.

Was this article helpful?

0 0
Computer Hard Drive Data Recovery

Computer Hard Drive Data Recovery

Learn How To Recover Your Hard Drive Data After A Computer Failure.

Get My Free Ebook


Responses

  • fatima
    How to repair windows 2008 AD database?
    8 years ago
  • berylla
    How to find the AD database size using ntdsutil?
    8 years ago
  • Mathew
    How to restore active directory using Ntdsutil 2008?
    8 years ago
  • Marko
    How to check the windows 2008 ad database consistency?
    8 years ago
  • Jonathan
    How to check and repair directory services database?
    8 years ago
  • BRANDON
    HOW TO: Use Ntdsutil to Manage Active Directory Files from the Command Line in Windows 2003?
    8 years ago
  • fioretta
    How To Use Ntdsutil to Manage Active Directory Files from the Command Line in Windows Server 2008?
    8 years ago
  • faryl findlay
    Why is ntdsutil is used in active directory services?
    8 years ago
  • Swen
    What is the role of NTDSUTIL in Active Directory management?
    8 years ago
  • eric
    How to use ntdsutil to repair active directory?
    8 years ago
  • claudia
    How to do restore using ntdsutil windows 2003?
    8 years ago
  • Jorja
    How to run ntdustil command windows server 2008?
    8 years ago
  • TILLY
    How to remove orphaned 2003 exchange server from active directory using ntdsutil?
    7 years ago
  • jens kalb
    How to check ntdsutil disk check?
    7 years ago
  • Kiera
    How to repair directory services 2008?
    7 years ago
  • Alceo
    How to check Integrity of Active Directory database after compaction?
    7 years ago
  • SANNA
    How to increase connection in ad using ntdsutil?
    7 years ago
  • lea
    What command in ntdsutil do you use to restore an entire ad database?
    7 years ago
  • isto
    What is dsastat vs ntdsutils?
    7 years ago
  • BELINDA
    How to use ntdsutil to compact the ad database in windows server 2008?
    6 years ago
  • Matilde
    How to check ad consistency ndsutil?
    6 years ago
  • joe
    How to repair the Active directory database NTDSUTIL?
    11 months ago
  • amanda
    How to perform hard repair of the active directory database?
    5 months ago
  • Ghenet Kiros
    How to bind ntdsutil to active directory?
    3 months ago
  • nob
    How to fix a corrupt active directory windows server 2008?
    3 months ago
  • settimo
    How to repair directory services windows 2008 R2?
    21 days ago

Post a comment