Tag Archives: ntds

Integrity check to Detect Low Level Active Directory Database Corruption

Active Directory maintains a multi-master database. like any other database there can be data corruptions, crashes, data lost etc. In my entire career, I still did not come across with a situation that a full database recovery is required in production environment. The reason is AD DS database is keep replicating to other available Domain Controllers and it is very rare that all the available Domain Controllers crash in same time and loose data.

By running integrity check, we can identify binary level AD database corruption. This comes as part of the Ntdsutil tool which use for Active Directory database maintenance. This go through every byte of the database file. The integrity command also checks if correct headers exist in the database itself and if all of the tables are functioning and consistent. This process also run as part of Active Directory Service Restore Mode (DRSM).

This check need to run with NTDS service off. 

In order to run integrity check,

1) Log in to Domain Controller as Domain/Enterprise Administrator
2) Open PowerShell as Administrator
3) Stop NTDS service using net stop ntds
4) Type 
 
ntdsutil
activate instance ntds
files
integrity
 
ntds1
 
5) In order to exit from the utility type, quit.
6) it is also recommended to run Semantic database analysis to confirm the consistency of active directory database contents. 
7) In order to do it, 
 
ntdsutil
activate instance ntds
semantic database analysis
go
 
ntds2
 
8) If its detected any integrity issues can type go fixup to fix the errors. 
9) After process is completed, type net start ntds to start the ntds service.
 
This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

How to move active directory database to new location?

When we installing active directory it gives an option to select the folder path to copy the active directory database files (NTDS Folder). My advice is always to use a separate partition in server to keep this instead default C:\Windows\NTDS\ folder path. But I know most of the time during the installation people used to pay less attention for this option. But what happen if you face a situation where you need to move the active directory database to different location? For an example due to running out of disk space in drive? Can we really do that?

Yes it is, we can move it to a different location with help of ntdsutil.exe. Let’s see in details how we can do it.

For my demo I am using a DC which holds its AD database files in default C:\Windows\NTDS\ folder. I need to move it to my new disk I added to the server. So new path I need to move it is E:\ADDB

Before we start this task we need to stop the active directory domain services. So make sure you aware of the impact it will make on network operations by stopping it.

1)    Log in to the primary domain controller as domain or enterprise administrator.
2)    Server Manager > Tools > Services

mvdb1

3)    Once mmc loaded right click on “Active Directory Domain Services” and click stop

mvdb2

4)    Then it will ask if it’s okay to stop associated services. Click “yes” to continue.

mvdb3

Once services are stopped we can go ahead with the database move.

1)    Right click on start button and click on “Command Prompt (Admin)

mvdb4

2)    Once command prompt load up type ntdsutil and press enter

mvdb5

3)    Then type “activate instance ntds” and press enter
4)    Then type “files” and enter

mvdb6

5)    In the files maintenance we need to specify the command to move the db. So in my demo I need to move it to E:\ADDB so the command will be move db to E:\ADDB. If you using space in folder path make sure you put the folder path inside double colon(“”). Once it execute it will move the db file and give an output as following.

mvdb7

6)    As you can see it move the database files successfully. But the logs are still in NTDS folder. To move the logs type move logs to E:\ADDB

mvdb8

7)    Now it’s moved logs and database successfully to the new location.

mvdb9

8)    Now it’s time to start the Active directory domain services again. Please go to services.mmc and start the service we stopped at the beginning of this step

This completes the process of moving AD DB and its logs. If you have any questions feel free to contact me on rebeladm@live.com