You want to check the integrity and semantics of the DIT file to verify there is no corruption or bad entries.
First, reboot into Directory Services Restore Mode. Then run the following commands:
> ntdsutil files integrity q q > ntdsutil "semantic database analysis" "verbose on" go
The Active Directory DIT file ( ntds.dit ) is implemented as a transactional database. Microsoft uses the ESE database (formerly called Jet) for Active Directory, which has been used for years in other products, such as Microsoft Exchange.
Since the Active Directory DIT ultimately is a database, it can
suffer from many of the same issues that traditional databases do.
integrity command checks for any low-level database
corruption and ensures that the database headers are correct and the
tables are in a consistent state. It reads every byte of the database
and can take quite a while to complete depending on how large your
DIT file is. The time it takes is also greatly dependent on your
hardware, but some early estimates from Microsoft for Windows 2000
put the rate at 2 GB an hour.
command verifies the overall structure and health of the database,
semantics command looks at the contents of the
database. It will verify, among other things, reference counts,
replication metadata, and security descriptors. If any errors are
reported back, you can run