chrisstenson
asked on
Scan AD for possible corruption?
I'm trying to find a util (if one exists) that can interrogate the AD database and tell me definitively if there is any corruption. If anybody is interested, here is the background to this....
I have recently returned from holiday. While I have been away on holiday one of our branch offices in another country had a problem where they could not logon to their child domain and a consultancy was called in. The consultants said that basically the link to the child domain (VPN) was bad and has corrupted AD. They have since recommened a huge amount of new kit and consultancy and in my adsence there was nobody to ask difficult questions, management just went along with anything they said. Since arriving back to this nightmare I have used some utils and cannot find any problems with AD (ntdsutil, esentutl, Sunbelt AD Inspector, DNSLint, dcdiag, netdiag) and I cannot find a single problem with AD. The consultants inisist we have to junk the whole domain and start again on the new servers they have supplied, and also want us to buy some Quest s/w to migrate to the new domain (around £20k / $36k). I am the lone voice here that is trying to at least slow what now feels like a supertanker down a bit. But the consultants are saying that AD could die at any time and we must do all of this immediately and this is what panicked the management into opening purse strings. Of course the consultants won't give me any specifics on what corruption there is and have no interest in pursuing this line, they have the ear of management and carte blanche to replace just about the entire network here on the back of this (even switching, adding lots of new security kit (which is of course nice), you name it - we are talking maybe £150k / $275k worth of sales on the back of this.
If anyone can help me determine for sure that AD is ok (or not of course) I'd be really grateful. I'll probably be crushed underfoot by this monster but I want to get to the truth.
Also if anyone can comment on the consultants central claim that AD could be corrupted by a 'dodgy' VPN link I'd be interested. I have other links like this in place that have never caused a problem and I don't really see how it could happen - surely AD runs some kind of checksum operation to ensure it only applies good changes?
Thanks in advance
Chris S
I have recently returned from holiday. While I have been away on holiday one of our branch offices in another country had a problem where they could not logon to their child domain and a consultancy was called in. The consultants said that basically the link to the child domain (VPN) was bad and has corrupted AD. They have since recommened a huge amount of new kit and consultancy and in my adsence there was nobody to ask difficult questions, management just went along with anything they said. Since arriving back to this nightmare I have used some utils and cannot find any problems with AD (ntdsutil, esentutl, Sunbelt AD Inspector, DNSLint, dcdiag, netdiag) and I cannot find a single problem with AD. The consultants inisist we have to junk the whole domain and start again on the new servers they have supplied, and also want us to buy some Quest s/w to migrate to the new domain (around £20k / $36k). I am the lone voice here that is trying to at least slow what now feels like a supertanker down a bit. But the consultants are saying that AD could die at any time and we must do all of this immediately and this is what panicked the management into opening purse strings. Of course the consultants won't give me any specifics on what corruption there is and have no interest in pursuing this line, they have the ear of management and carte blanche to replace just about the entire network here on the back of this (even switching, adding lots of new security kit (which is of course nice), you name it - we are talking maybe £150k / $275k worth of sales on the back of this.
If anyone can help me determine for sure that AD is ok (or not of course) I'd be really grateful. I'll probably be crushed underfoot by this monster but I want to get to the truth.
Also if anyone can comment on the consultants central claim that AD could be corrupted by a 'dodgy' VPN link I'd be interested. I have other links like this in place that have never caused a problem and I don't really see how it could happen - surely AD runs some kind of checksum operation to ensure it only applies good changes?
Thanks in advance
Chris S
ASKER
Thanks for the quick reply. Yes you can imagine the look on my face when I returned to this. The branch office server was removed and they now have a whole new setup completely seperate at least for now. This was done while I was away. I have just got the original server back but haven't been able to interrogate the logs yet (has not been reconnected at all yet), will check logs asap and report back.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry I didn't get back until now - I left that company in the end (and yes it was of my own volition!) So managed to escape having to wear the tinfoil hats being rolled out to all staff! Consultants took months to get everything moved over to new domain using Quest tools (they hadn't used them before to be fair...) Anyway I gather it's still a mess but my old domain is still alive and well. AD was supposed to only have a '60% chance of lasting a fortnight'...5 months ago....
Chris S
Chris S
lol congratulations on your escape. All the best with whatever comes next :)
First impressions: Oh my god
I was going to suggest you use NTDSUtil to verify AD, but you already did.
If you could describe some of the problems the branch is having, or more specifically errors on the Domain Controller, perhaps we could come up with an alternative conclusion?
Basically, I don't agree with your consultants from what they've said there.