MichaelGrafnetter
commented
4 months ago Hello @Phancypants , you are describing 2 independent problems:
- One is with the SYSTEM registry hive, for which you also need transactional log files when you copy it out from a shadow copy.
- The other issue is with opening the AD database, for which you again need the corresponding transactional logs. And it really can only be opened on the same Windows build on which it was created, as Microsoft changes the database format with each Windows version.
I've been trying to get DSInternals working to perform some password auditing but have encountered this error and am unsure where to go from here.
I started by creating a Shadow copy of the C: drive on my DC which is running Server 2016 datacenter and copied the ntds.dit file from the shadow copy.
I then extracted the system hive from the DC using the command reg save HKLM\SYSTEM
I copied both files to my Widows 10 computer and ran the following:
$key = Get-Bootkey -SystemHiveFilePath C:\temp\sys Get-ADDBAccount -All -BootKey $key -DBPath C:\Temp\ntds.dit
Which resulted in this error: Get-ADDBAccount : There was a problem reading the database, which probably comes from a different OS. Try defragmenting it first by running the 'esentutl /d ntds.dit' command. At line:1 char:1
I defragged the database as suggested and tried again with the same results. I have also attempted this on a system running server 2016 datacenter and another system running server 2022 but all attempts have resulted in the same error.
I saw a suggestion that the system hive should be exported from the same shadow copy as the ntds.dit file so I tried that but when I tried to use this as the bootkey it gave me an error that the registry database is corrupt
PS C:\Windows\system32> $key = Get-Bootkey -SystemHiveFilePath C:\temp\SYSTEM Get-Bootkey : The configuration registry database is corrupt At line:1 char:8