Scan AD for possible corruption?

Posted on 2004-11-04
Medium Priority
Last Modified: 2006-11-17
I'm trying to find a util (if one exists) that can interrogate the AD database and tell me definitively if there is any corruption. If anybody is interested, here is the background to this....

I have recently returned from holiday. While I have been away on holiday one of our branch offices in another country had a problem where they could not logon to their child domain and a consultancy was called in. The consultants said that basically the link to the child domain (VPN) was bad and has corrupted AD. They have since recommened a huge amount of new kit and consultancy and in my adsence there was nobody to ask difficult questions, management just went along with anything they said. Since arriving back to this nightmare I have used some utils and cannot find any problems with AD (ntdsutil, esentutl, Sunbelt AD Inspector, DNSLint, dcdiag, netdiag) and I cannot find a single problem with AD. The consultants inisist we have to junk the whole domain and start again on the new servers they have supplied, and also want us to buy some Quest s/w to migrate to the new domain (around £20k / $36k). I am the lone voice here that is trying to at least slow what now feels like a supertanker down a bit. But the consultants are saying that AD could die at any time and we must do all of this immediately and this is what panicked the management into opening purse strings. Of course the consultants won't give me any specifics on what corruption there is and have no interest in pursuing this line, they have the ear of management and carte blanche to replace just about the entire network here on the back of this (even switching, adding lots of new security kit (which is of course nice), you name it - we are talking maybe £150k / $275k worth of sales on the back of this.

If anyone can help me determine for sure that AD is ok (or not of course) I'd be really grateful. I'll probably be crushed underfoot by this monster but I want to get to the truth.

Also if anyone can comment on the consultants central claim that AD could be corrupted by a 'dodgy' VPN link I'd be interested. I have other links like this in place that have never caused a problem and I don't really see how it could happen - surely AD runs some kind of checksum operation to ensure it only applies good changes?

Thanks in advance

Chris S
Question by:chrisstenson
  • 3
  • 2
LVL 71

Expert Comment

by:Chris Dent
ID: 12493239

First impressions: Oh my god

I was going to suggest you use NTDSUtil to verify AD, but you already did.

If you could describe some of the problems the branch is having, or more specifically errors on the Domain Controller, perhaps we could come up with an alternative conclusion?

Basically, I don't agree with your consultants from what they've said there.

Author Comment

ID: 12493327
Thanks for the quick reply. Yes you can imagine the look on my face when I returned to this. The branch office server was removed and they now have a whole new setup completely seperate at least for now. This was done while I was away. I have just got the original server back but haven't been able to interrogate the logs yet (has not been reconnected at all yet), will check logs asap and report back.
LVL 20

Accepted Solution

What90 earned 900 total points
ID: 12493390
Is the child domain the only site that is having problems?
If the schema was effected and heaps of bad entries started appearing, or DNS got corrupted then it easy to see from ADSI, event logs or the tools you've already used. I would have suspected a number of other issues to have arisen should AD be corrupted as claimed.

I've had a child domain fail attentication due to a local admin mucking around with some settings, then claiming he'd never touched it. Log files proved oherwise.
I'd imagine that corrupt information could be passed back up to the Root domain, but I would have thought that it would have only effect that domain's application partition and should be visible with the tools you've used.

I'd demand the consultancy displays what they believe is coruption and how it could destroy AD, before any further work is done or they touch another computer at your company. Documented proof with a clear explaination should be a must.
Otherwise, they might as well claim your company should start wearing tin foil hats to protect them from the Evil Overlords (TM) reading their minds and stealing their ideas - and start charging you for protection ....
Sorry can't offer anything more solid, but a consultant that just says it's corrupt and won't tell you why sounds very dodgy to me.  

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 600 total points
ID: 12493465

I agree completely with What90. Their claims are completely unsubstantiated, and that they also just happen to be supplying very very large amounts of equipment seems like a bit of a conflict of interests to me.

It's difficult to come up with suggestions to correct such a problem when you've already extensively checked everything for faults.

Most common causes of authentication failure are bad DNS entries - rarely anything more complicated than that.

A bad VPN connection corrupting AD is, quite frankly, absolute rubbish.

Author Comment

ID: 13651948
Sorry I didn't get back until now - I left that company in the end (and yes it was of my own volition!) So managed to escape having to wear the tinfoil hats being rolled out to all staff! Consultants took months to get everything moved over to new domain using Quest tools (they hadn't used them before to be fair...) Anyway I gather it's still a mess but my old domain is still alive and well. AD was supposed to only have a '60% chance of lasting a fortnight'...5 months ago....

Chris S
LVL 71

Expert Comment

by:Chris Dent
ID: 13651983

lol congratulations on your escape. All the best with whatever comes next :)

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Integration Management Part 2
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question