{"id":1357,"date":"2025-11-23T14:34:31","date_gmt":"2025-11-23T13:34:31","guid":{"rendered":"https:\/\/blog.chrisse.se\/?p=1357"},"modified":"2025-11-23T14:44:38","modified_gmt":"2025-11-23T13:44:38","slug":"debugging-something-that-isnt-an-issue-in-a-ntds-dit","status":"publish","type":"post","link":"https:\/\/blog.chrisse.se\/?p=1357","title":{"rendered":"Debugging something that isn&#8217;t an issue in a ntds.dit"},"content":{"rendered":"\n<p>I tried to dump a NTDS.dit from a RODC with ESEDump &#8211; something I haven&#8217;t done in years and just stumbled up on the fact that i got NDNC&#8217;s (None-Domain Naming Contexts) appearing twice in &#8216;msDS-HasInstantiatedNCs&#8217; &#8211; ESEDump did work as expected but I started to question my self if my code walking the range in the &#8220;link_table&#8221; worked correctly.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"764\" height=\"238\" src=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/11\/image-8.png\" alt=\"\" class=\"wp-image-1358\" srcset=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/11\/image-8.png 764w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/11\/image-8-300x93.png 300w\" sizes=\"auto, (max-width: 706px) 89vw, (max-width: 767px) 82vw, 740px\" \/><\/figure>\n\n\n\n<p>I then thought that this must have something to do with the fact that this RODC is promoted from IFM. Let&#8217;s have a look on that attribute with repadmin.exe<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"76\" src=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/11\/image-9-1024x76.png\" alt=\"\" class=\"wp-image-1359\" srcset=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/11\/image-9-1024x76.png 1024w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/11\/image-9-300x22.png 300w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/11\/image-9-768x57.png 768w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/11\/image-9.png 1326w\" sizes=\"auto, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/figure>\n\n\n\n<p>Yep, I but those are my two &#8216;duplicated&#8217; NDNCs &#8211; but why? I wrote two articles in the past about how IFM is working and did almost cover this but missed it in the first part as it solidly was focusing on Windows Server 2003 &#8211; it says:<br><br><strong>Sourcing NDNCs with Windows Server 2003 is only supported by Windows Server 2003 SP1 or later under the following conditions:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Both the DC your souring the IFM from must be running at least Windows Server 2003 SP1 or later and as well the machine intending to become a DC using the source IFM.<br><\/li>\n\n\n\n<li>The forest functional level (FFL) has to be: Windows Server 2003 (Pre-Windows Server 2003 FFL adding replicas to NCs has to be done on the Domain Naming Master \u2013 FSMO)<br>Note: The promotion completes with the sourced IFM even if the forest functional level (FFL) is less than Windows Server 2003 but NDNCs aren\u2019t sourced from the IFM and the following will happen:<\/li>\n<\/ul>\n\n\n\n<p>The DomainDNSZones and ForestDNSZones are begin replicated in again over the wire using normal replication, as the promoted DC (Sourced from IFM) hosts the DNS Service<\/p>\n\n\n\n<p><strong>I forgot to mention that it&#8217;s not supported to keep any NDNCs in the DIT for the Red-Only Domain Controller IFM case &#8211; those get wacked and replicated back in again<\/strong>.<\/p>\n\n\n\n<p>Link to the article <a href=\"https:\/\/blog.chrisse.se\/?p=73\">How install from media (IFM) really works (Part 1) \u2013 Christoffer Andersson<\/a><\/p>\n\n\n\n<p>The solution here if I really only want to get PRESENT links would be to change incides over the &#8220;link_table&#8221; to the &#8220;present&#8221; ones depending on fwd o back links, the Recycle-Bin was not enabled in this environment. <\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#f2f2f2;color:#2f363c\">C#<\/span><span role=\"button\" tabindex=\"0\" style=\"color:#24292eff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>EseHelper.JetSetCurrentIndex(sesid, tableid, \/*\"link_index\"*\/ \"link_present_index\")\nEseHelper.JetSetCurrentIndex(sesid, tableid, \/*\"backlink_index\"*\/ \"backlink_present_index\")<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki min-light\" style=\"background-color: #ffffff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #1976D2\">EseHelper<\/span><span style=\"color: #24292EFF\">.<\/span><span style=\"color: #6F42C1\">JetSetCurrentIndex<\/span><span style=\"color: #24292EFF\">(sesid<\/span><span style=\"color: #212121\">,<\/span><span style=\"color: #24292EFF\"> tableid<\/span><span style=\"color: #212121\">,<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #C2C3C5\">\/*&quot;link_index&quot;*\/<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&quot;link_present_index&quot;<\/span><span style=\"color: #24292EFF\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #1976D2\">EseHelper<\/span><span style=\"color: #24292EFF\">.<\/span><span style=\"color: #6F42C1\">JetSetCurrentIndex<\/span><span style=\"color: #24292EFF\">(sesid<\/span><span style=\"color: #212121\">,<\/span><span style=\"color: #24292EFF\"> tableid<\/span><span style=\"color: #212121\">,<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #C2C3C5\">\/*&quot;backlink_index&quot;*\/<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&quot;backlink_present_index&quot;<\/span><span style=\"color: #24292EFF\">)<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"796\" height=\"185\" src=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/11\/image-10.png\" alt=\"\" class=\"wp-image-1361\" srcset=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/11\/image-10.png 796w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/11\/image-10-300x70.png 300w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/11\/image-10-768x178.png 768w\" sizes=\"auto, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>I tried to dump a NTDS.dit from a RODC with ESEDump &#8211; something I haven&#8217;t done in years and just stumbled up on the fact that i got NDNC&#8217;s (None-Domain Naming Contexts) appearing twice in &#8216;msDS-HasInstantiatedNCs&#8217; &#8211; ESEDump did work as expected but I started to question my self if my code walking the range &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/blog.chrisse.se\/?p=1357\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Debugging something that isn&#8217;t an issue in a ntds.dit&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"categories":[41],"tags":[6,14,16],"class_list":["post-1357","post","type-post","status-publish","format-standard","hentry","category-active-directory","tag-active-directory","tag-extensible-storage-engine-ese","tag-ntds-dit"],"_links":{"self":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts\/1357","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1357"}],"version-history":[{"count":3,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts\/1357\/revisions"}],"predecessor-version":[{"id":1363,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts\/1357\/revisions\/1363"}],"wp:attachment":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1357"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1357"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1357"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}