Scan AD for possible corruption?

Posted on 2004-11-04
Last Modified: 2006-11-17
I'm trying to find a util (if one exists) that can interrogate the AD database and tell me definitively if there is any corruption. If anybody is interested, here is the background to this....

I have recently returned from holiday. While I have been away on holiday one of our branch offices in another country had a problem where they could not logon to their child domain and a consultancy was called in. The consultants said that basically the link to the child domain (VPN) was bad and has corrupted AD. They have since recommened a huge amount of new kit and consultancy and in my adsence there was nobody to ask difficult questions, management just went along with anything they said. Since arriving back to this nightmare I have used some utils and cannot find any problems with AD (ntdsutil, esentutl, Sunbelt AD Inspector, DNSLint, dcdiag, netdiag) and I cannot find a single problem with AD. The consultants inisist we have to junk the whole domain and start again on the new servers they have supplied, and also want us to buy some Quest s/w to migrate to the new domain (around £20k / $36k). I am the lone voice here that is trying to at least slow what now feels like a supertanker down a bit. But the consultants are saying that AD could die at any time and we must do all of this immediately and this is what panicked the management into opening purse strings. Of course the consultants won't give me any specifics on what corruption there is and have no interest in pursuing this line, they have the ear of management and carte blanche to replace just about the entire network here on the back of this (even switching, adding lots of new security kit (which is of course nice), you name it - we are talking maybe £150k / $275k worth of sales on the back of this.

If anyone can help me determine for sure that AD is ok (or not of course) I'd be really grateful. I'll probably be crushed underfoot by this monster but I want to get to the truth.

Also if anyone can comment on the consultants central claim that AD could be corrupted by a 'dodgy' VPN link I'd be interested. I have other links like this in place that have never caused a problem and I don't really see how it could happen - surely AD runs some kind of checksum operation to ensure it only applies good changes?

Thanks in advance

Chris S
Question by:chrisstenson
    LVL 70

    Expert Comment

    by:Chris Dent

    First impressions: Oh my god

    I was going to suggest you use NTDSUtil to verify AD, but you already did.

    If you could describe some of the problems the branch is having, or more specifically errors on the Domain Controller, perhaps we could come up with an alternative conclusion?

    Basically, I don't agree with your consultants from what they've said there.

    Author Comment

    Thanks for the quick reply. Yes you can imagine the look on my face when I returned to this. The branch office server was removed and they now have a whole new setup completely seperate at least for now. This was done while I was away. I have just got the original server back but haven't been able to interrogate the logs yet (has not been reconnected at all yet), will check logs asap and report back.
    LVL 20

    Accepted Solution

    Is the child domain the only site that is having problems?
    If the schema was effected and heaps of bad entries started appearing, or DNS got corrupted then it easy to see from ADSI, event logs or the tools you've already used. I would have suspected a number of other issues to have arisen should AD be corrupted as claimed.

    I've had a child domain fail attentication due to a local admin mucking around with some settings, then claiming he'd never touched it. Log files proved oherwise.
    I'd imagine that corrupt information could be passed back up to the Root domain, but I would have thought that it would have only effect that domain's application partition and should be visible with the tools you've used.

    I'd demand the consultancy displays what they believe is coruption and how it could destroy AD, before any further work is done or they touch another computer at your company. Documented proof with a clear explaination should be a must.
    Otherwise, they might as well claim your company should start wearing tin foil hats to protect them from the Evil Overlords (TM) reading their minds and stealing their ideas - and start charging you for protection ....
    Sorry can't offer anything more solid, but a consultant that just says it's corrupt and won't tell you why sounds very dodgy to me.  

    LVL 70

    Assisted Solution

    by:Chris Dent

    I agree completely with What90. Their claims are completely unsubstantiated, and that they also just happen to be supplying very very large amounts of equipment seems like a bit of a conflict of interests to me.

    It's difficult to come up with suggestions to correct such a problem when you've already extensively checked everything for faults.

    Most common causes of authentication failure are bad DNS entries - rarely anything more complicated than that.

    A bad VPN connection corrupting AD is, quite frankly, absolute rubbish.

    Author Comment

    Sorry I didn't get back until now - I left that company in the end (and yes it was of my own volition!) So managed to escape having to wear the tinfoil hats being rolled out to all staff! Consultants took months to get everything moved over to new domain using Quest tools (they hadn't used them before to be fair...) Anyway I gather it's still a mess but my old domain is still alive and well. AD was supposed to only have a '60% chance of lasting a fortnight'...5 months ago....

    Chris S
    LVL 70

    Expert Comment

    by:Chris Dent

    lol congratulations on your escape. All the best with whatever comes next :)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
    Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now