Sunday, December 29, 2013

Windows Server 2012 - Active Directory - NTDSUTIL, part 1

The NTDSUTIL tool can be used for various operations concerning Active Directory and the ntds.dit database. Some of the more familiar uses are transferring - or seizing - FSMO roles and restoring Active Directory objects.
 
Based on experiences with the ESEUTIL tool used on Exchange databases, I wanted to learn more about maintenance of the ntds.dit database with NTDSUTIL.
 
After some research and consultation, it looks like executing the commands that follow are usually not part of a scheduled maintenance plan. In general, the Active Directory database is rather robust and errors are not common. When they do occur, it is most often due to hardware errors such as bad blocks on a disk or perhaps improper shutdown.
 
In comparison, I encountered "SLINK" (Event ID 1025) errors in Exchange from time to time and was advised to run the following command:

Isinteg -test -alltests

If there were warnings or errors, we would attempt to resolve them with this command:

Isinteg -fix -test -alltests

I would also test database integrity with eseutil /g

The database would have to be indicated in either case but since that is not the subject of this post, I'm not going to provide all the details. The subject has been discussed more than once in the Exchange TechNet forums:

Error on database - EventID 1025 SLINK::ecupdate

So... how could we verify the health of the Active Directory ntds.dit database?


NTDSUTIL - general observations

If we have not used the NTDSUTIL tool since Windows 2003, the syntax (that changed with Windows 2008 already) may confuse us.
 
What if I want to verify the checksum of the ntds.dit database? I'll present that in just a moment but for now, let's simply attempt to run the command:

PS C:\> ntdsutil
C:\Windows\system32\ntdsutil.exe: files
Active Instance not set. To set an active instance use "Activate Instance ".
C:\Windows\system32\ntdsutil.exe: activate instance ntds
Active instance set to "ntds".
C:\Windows\system32\ntdsutil.exe: files
Service "NTDS" is running. Stop the service before binding to this Active Directory database.
C:\Windows\system32\ntdsutil.exe:

***

Here we encounter two obstacles (highlighted in red above).

First, since Windows 2008, we have to "activate" an "instance" of ntds before we can execute any commands.

Second, as with Windows 2003 (and 2000), we cannot run NTDSUTIL against an active database (except to change the Directory Service Restore Mode  password - we'll see that later). But, unlike with Windows 2003, at least we no longer need to boot into DSRM. We can stop and start Active Directory, and more precisely the NTDS service, without restarting the entire server.

For years, I would use the following combination to stop and start services (NTDS in this case):

net stop ntds
net start ntds

These commands function but there are some obstacles:

PS C:\> net stop ntds

The following services are dependent on the Active Directory Domain Services service.
Stopping the Active Directory Domain Services service will also stop these services.


   Kerberos Key Distribution Center
   Intersite Messaging
   DNS Server
   DFS Replication


Do you want to continue this operation? (Y/N) [N]: Y

The Kerberos Key Distribution Center service was stopped successfully.
The Intersite Messaging service is stopping.
The Intersite Messaging service was stopped successfully.

The DNS Server service is stopping.
The DNS Server service was stopped successfully.

.The DFS Replication service was stopped successfully.
The Active Directory Domain Services service is stopping.
The Active Directory Domain Services service was stopped successfully.



After running the NTDSUTIL commands (that we'll see in a second - I promise!), we would have to restart the Active Directory Domain Services:

PS C:\> net start ntds

The Active Directory Domain Services service is starting...
The Active Directory Domain Services service was started successfully.



***

But what about the other services that were stopped?

Apparently, they are restarted when the NTDS service is restarted - which I was not sure would be the case. What follows is a "snip" from the output of the Get-Service cmdlet:

Running  DFSR               DFS Replication
Running  DNS                DNS Server
Running  IsmServ            Intersite Messaging
Running  Kdc                Kerberos Key Distribution Center


But since we are at Windows 2012 and the recommendation is to use Powershell, let's use these cmdlets to stop and (re)start services:

PS C:\> stop-service ntds

stop-service : Cannot stop service 'Active Directory Domain Services (ntds)' because it has dependent services. It can only be stopped if the Force flag is set. [...]

So we have to force shutdown with the... -force flag.

PS C:\> stop-service ntds -force

Now - finally - we are ready to try some NTDSUTIL commands


NTDSUTIL - files

The following command verifies the "checksum" of the database:

PS C:\> ntdsutil
C:\Windows\system32\ntdsutil.exe: activate instance ntds
Active instance set to "ntds".
C:\Windows\system32\ntdsutil.exe: files
file maintenance: checksum
Doing checksum validation for db: C:\Windows\NTDS\ntds.dit.

File: C:\Windows\NTDS\ntds.dit
                     Checksum Status (% complete)
          0    10   20   30   40   50   60   70   80   90  100
          |----|----|----|----|----|----|----|----|----|----|
          ...................................................

3074 pages seen.
0 bad checksums.
0 correctable checksums
905 uninitialized pages.
0 wrong page numbers.
[...]

As we can see, the database is just fine at this level.

--------

There is another command that checks the "integrity" of the database. But first, Microsoft documentation states that before running the integrity command (below) we should run the "ntdsutil files recover" command. This commands "ensures all committed transactions [...] are reflected in the data file."

 Since we are still in "ntdsutil, files" , we can simply enter the command as follows:
 
file maintenance: recover
 
Initiating RECOVERY mode...
          Log files: C:\Windows\NTDS.
         System files: C:\Windows\NTDS.
Performing soft recovery...
Database recovery is successful.
 
It is recommended you run semantic database analysis
to ensure semantic database consistency as well.

 --------

So we have not yet run the integrity check and NTDSUTIL suggests yet another test. We'll look at that in a moment. For now, let's check database "integrity" - or consistency-  with the following command:

file maintenance: integrity
Doing Integrity Check for db: C:\Windows\NTDS\ntds.dit.
Checking database integrity.

                     Scanning  Status (% complete)
          0    10   20   30   40   50   60   70   80   90  100
          |----|----|----|----|----|----|----|----|----|----|
          ...................................................

Integrity check successful.

It is recommended you run semantic database analysis
to ensure semantic database consistency as well.

----------


Some notes...
  • This test scans the entire ntds.dit file, the database as a whole, so, if it is large, it can take some time, possibly 2 GB / hour.
  • It looks for binary corruption at a "low level".
  • It may be the equivalent of eseutil /g in Exchange (?)
  • Once again, it is recommended to run the "semantic database analysis" command, so with no further ado, we'll do just that:

C:\Windows\system32\ntdsutil.exe: semantic database analysis
semantic checker: go
Fixup mode is turned off
......Done.


Writing summary into log file dsdit.dmp.0
SDs scanned:            123
Records scanned:       3806
Processing records..Done. Elapsed time 0 seconds.
 



--------

Yes, after we enter "semantic database analysis" we have to enter go at the "semantic checker" prompt. The reader may have noted that there is not much data to be analyzed. That is correct. This is a test domain controller with very few objects in the ntds.dit database.
 
If errors are indicated, we can attempt to repair them with the "go fixup" command. And yes, we would enter that exactly where we entered the "go" above.

***


Here ends my first blog post about the NTDSUTIL tool. In part 2, I'll look at some other uses of the tool: resetting the DSRM password, checking for duplicate SIDs and offline defragmentation.

Reference:

NTDSUTIL Files commands







7 comments:

  1. Thanks for sharing such a good information...

    http://www.couponsjn.com/bluehost-hosting-review/

    ReplyDelete
    Replies

    1. windows 10 product key , cheap windows keys , windows 10 pro product key sale , windows 10 pro activation key 2015 , windoes 7 key , windows xp home , visio premium product key , free windpws 7 professional activation key , ll7NhO

      windows server 2012 r2 buy

      office 2013 key sale

      cheap rosetta stone french

      Delete
  2. I'd love to share my experience with you, the product keys really are working so well, click here to get one: www.gankings.com.

    ReplyDelete
  3. Office 2016 Product Key (http://www.windows10keysale.com)


    I want to thank Office 2016 Product Key here, she has won my business and I'll be posting my experience to you and others.
    My old computer crashed days ago. I had to buy a new computer. It costed me much.
    My budget was not much. To purchase a Office 2016 Product Key from MS was not enough. Then I went to Tomshardware, and one guy recommended Office 2016 Product Key (http://www.windows10keysale.com) to me. Their price did attract me. So I decided to try after several emails to Office 2016 Product Key . She was very patient and answered clearly to all my questions. I receved the key immediately after I sent {price} bucks. It worked perfectly. I was very very satisfied.
    I'll be buying from Office 2016 Product Key (http://www.windows10keysale.com) from now on as well.

    Office 2016 Product Key (http://www.windows10keysale.com)

    ReplyDelete

  4. Windows 10 Key Sale Store (http://www.windows10keysale.com)

    Go the online store Windows 10 Key Sale Store (http://www.windows10keysale.com) . You even don't need to spend a lot of time but only need to place the order and finish the payment in several minutes. The product key will be sent to you via email in short time. Very efficient!

    Windows 10 Key Sale Store (http://www.windows10keysale.com)

    ReplyDelete

  5. activation key for window 7 ultimate 32 bit , windows 10 product key surface 3 , windows 10 key sale , office 2013 key sale , wholesale norton antivirus , windows 10 serial key crack , windows 10 home serial key , windows 10 product key trouble , l8dbiy

    buy office 2016 product key

    windows server 2012 r2 free

    rosetta stone french key sale

    ReplyDelete