Scan AD for possible corruption?

I'm trying to find a util (if one exists) that can interrogate the AD database and tell me definitively if there is any corruption. If anybody is interested, here is the background to this....

I have recently returned from holiday. While I have been away on holiday one of our branch offices in another country had a problem where they could not logon to their child domain and a consultancy was called in. The consultants said that basically the link to the child domain (VPN) was bad and has corrupted AD. They have since recommened a huge amount of new kit and consultancy and in my adsence there was nobody to ask difficult questions, management just went along with anything they said. Since arriving back to this nightmare I have used some utils and cannot find any problems with AD (ntdsutil, esentutl, Sunbelt AD Inspector, DNSLint, dcdiag, netdiag) and I cannot find a single problem with AD. The consultants inisist we have to junk the whole domain and start again on the new servers they have supplied, and also want us to buy some Quest s/w to migrate to the new domain (around £20k / $36k). I am the lone voice here that is trying to at least slow what now feels like a supertanker down a bit. But the consultants are saying that AD could die at any time and we must do all of this immediately and this is what panicked the management into opening purse strings. Of course the consultants won't give me any specifics on what corruption there is and have no interest in pursuing this line, they have the ear of management and carte blanche to replace just about the entire network here on the back of this (even switching, adding lots of new security kit (which is of course nice), you name it - we are talking maybe £150k / $275k worth of sales on the back of this.

If anyone can help me determine for sure that AD is ok (or not of course) I'd be really grateful. I'll probably be crushed underfoot by this monster but I want to get to the truth.

Also if anyone can comment on the consultants central claim that AD could be corrupted by a 'dodgy' VPN link I'd be interested. I have other links like this in place that have never caused a problem and I don't really see how it could happen - surely AD runs some kind of checksum operation to ensure it only applies good changes?

Thanks in advance

Chris S
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris DentPowerShell DeveloperCommented:

First impressions: Oh my god

I was going to suggest you use NTDSUtil to verify AD, but you already did.

If you could describe some of the problems the branch is having, or more specifically errors on the Domain Controller, perhaps we could come up with an alternative conclusion?

Basically, I don't agree with your consultants from what they've said there.
chrisstensonAuthor Commented:
Thanks for the quick reply. Yes you can imagine the look on my face when I returned to this. The branch office server was removed and they now have a whole new setup completely seperate at least for now. This was done while I was away. I have just got the original server back but haven't been able to interrogate the logs yet (has not been reconnected at all yet), will check logs asap and report back.
Is the child domain the only site that is having problems?
If the schema was effected and heaps of bad entries started appearing, or DNS got corrupted then it easy to see from ADSI, event logs or the tools you've already used. I would have suspected a number of other issues to have arisen should AD be corrupted as claimed.

I've had a child domain fail attentication due to a local admin mucking around with some settings, then claiming he'd never touched it. Log files proved oherwise.
I'd imagine that corrupt information could be passed back up to the Root domain, but I would have thought that it would have only effect that domain's application partition and should be visible with the tools you've used.

I'd demand the consultancy displays what they believe is coruption and how it could destroy AD, before any further work is done or they touch another computer at your company. Documented proof with a clear explaination should be a must.
Otherwise, they might as well claim your company should start wearing tin foil hats to protect them from the Evil Overlords (TM) reading their minds and stealing their ideas - and start charging you for protection ....
Sorry can't offer anything more solid, but a consultant that just says it's corrupt and won't tell you why sounds very dodgy to me.  


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

Chris DentPowerShell DeveloperCommented:

I agree completely with What90. Their claims are completely unsubstantiated, and that they also just happen to be supplying very very large amounts of equipment seems like a bit of a conflict of interests to me.

It's difficult to come up with suggestions to correct such a problem when you've already extensively checked everything for faults.

Most common causes of authentication failure are bad DNS entries - rarely anything more complicated than that.

A bad VPN connection corrupting AD is, quite frankly, absolute rubbish.
chrisstensonAuthor Commented:
Sorry I didn't get back until now - I left that company in the end (and yes it was of my own volition!) So managed to escape having to wear the tinfoil hats being rolled out to all staff! Consultants took months to get everything moved over to new domain using Quest tools (they hadn't used them before to be fair...) Anyway I gather it's still a mess but my old domain is still alive and well. AD was supposed to only have a '60% chance of lasting a fortnight'...5 months ago....

Chris S
Chris DentPowerShell DeveloperCommented:

lol congratulations on your escape. All the best with whatever comes next :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.