EsentDatabaseDirtyShutdownException if ntds database needs repairing

[mrturtledev]

If ntdis.dit was retrieved by the vss method (from Server 2003 for example) the database will most likely need repairing before running NTDSAudit.

Although it might be out of scope for NTDSAudit to repair the database before use, the exception caused should be caught and handled appropriately. Possibly with guidance to the user on how to repair the ntds.dit file.

C:\Tools\Dionach>NtdsAudit.exe -v
NtdsAudit
2.0.0.0

NtdsAudit.exe ntds_needs_repair.dit

Unhandled Exception: Microsoft.Isam.Esent.Interop.EsentDatabaseDirtyShutdownException: Database was not shutdown cleanly. Recovery must first be run to properly complete database operations for the previous shutdown.
   at Microsoft.Isam.Esent.Interop.Api.Check(Int32 err)
   at Microsoft.Isam.Esent.Interop.Api.JetAttachDatabase(JET_SESID sesid, String database, AttachDatabaseGrbit grbit)
   at NtdsAudit.JetDb..ctor(String dbPath)
   at NtdsAudit.NtdsAudit..ctor(String ntdsPath, Boolean dumphashes, Boolean includeHistoryHashes, String systemHivePath, String wordlistPath)
   at NtdsAudit.Program.<>c__DisplayClass2_0.<Main>b__0()
   at Microsoft.Extensions.CommandLineUtils.CommandLineApplication.Execute(String[] args)
   at NtdsAudit.Program.Main(String[] args)

[h4knet]

I got the same issue.

[lecoredump]

Just in case someone happens on this issue, once copied outside the shadow copy, the following can be run (still from the DC where it was retrieved itself) :

1. Check if it was actually corrupted or if anything else is the issue

esentutl /g C:\Path\To\NTDS.dit

2. Actually attempt to repair the DB (some data loss may happen in this case)

esentutl /p C:\Path\To\NTDS.dit

Careful though, this can consume some resources depending on the domain size, so caution is warranted to prevent any issue on the DC.

Also, please don't attempt that on a live NTDS, only the one retrieved from the shadow copy.