Scan AD for possible corruption?
Posted on 2004-11-04
I'm trying to find a util (if one exists) that can interrogate the AD database and tell me definitively if there is any corruption. If anybody is interested, here is the background to this....
I have recently returned from holiday. While I have been away on holiday one of our branch offices in another country had a problem where they could not logon to their child domain and a consultancy was called in. The consultants said that basically the link to the child domain (VPN) was bad and has corrupted AD. They have since recommened a huge amount of new kit and consultancy and in my adsence there was nobody to ask difficult questions, management just went along with anything they said. Since arriving back to this nightmare I have used some utils and cannot find any problems with AD (ntdsutil, esentutl, Sunbelt AD Inspector, DNSLint, dcdiag, netdiag) and I cannot find a single problem with AD. The consultants inisist we have to junk the whole domain and start again on the new servers they have supplied, and also want us to buy some Quest s/w to migrate to the new domain (around £20k / $36k). I am the lone voice here that is trying to at least slow what now feels like a supertanker down a bit. But the consultants are saying that AD could die at any time and we must do all of this immediately and this is what panicked the management into opening purse strings. Of course the consultants won't give me any specifics on what corruption there is and have no interest in pursuing this line, they have the ear of management and carte blanche to replace just about the entire network here on the back of this (even switching, adding lots of new security kit (which is of course nice), you name it - we are talking maybe £150k / $275k worth of sales on the back of this.
If anyone can help me determine for sure that AD is ok (or not of course) I'd be really grateful. I'll probably be crushed underfoot by this monster but I want to get to the truth.
Also if anyone can comment on the consultants central claim that AD could be corrupted by a 'dodgy' VPN link I'd be interested. I have other links like this in place that have never caused a problem and I don't really see how it could happen - surely AD runs some kind of checksum operation to ensure it only applies good changes?
Thanks in advance