Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 467 Source: NTDSISAM

NTDS (<pid>) NTDSA: Index <index> of table <table> is corrupted (0).
I was getting this event every 2 minutes on my SBS 2003 SP2 DC after power-loss shutdown. I restarted the server in AD recovery mode and I used the:

esentutl /p c:\windows\ntds\ntds.dit

command to resolve the problem.
I had multiple errors of "NTDS <PID> NTDSA: Index DRA_USN_index of table datatable is corrupted (0)." along with NTDS KCC event id 1435 "The Knowledge Consistency Checker (KCC) encountered an unexpected error while performing an Active Directory operation." in the directory service event logs, repeating every 15 minutes. I tried to integrity/compact/repair/recover using ntdsutil without luck - kept giving the error that the jet db was corrupt and could not continue. The SBS2003 server had no backups of an uncorrupted ntds database so the recover switch also failed.

In the end, I booted into "Directory Services Repair" mode, ran "ntdsutil files info" (without the quotation marks) to check the path for the ntds.dit file, then, using that info, ran

esentutl /p "<path>\ntds.dit"

The repair completed successfully and "ntdsutil files integrity" reported all good. I rebooted and my server was back online with Active Directory replicating properly.
From a support forum: "Error 467 issue occurs maybe because the Active Directory database engine manages the tuple index for the attribute incorrectly. Please try to install the ME2566592 hotfix package on all domain controllers of the forest. After you install the following hotfix package on all domain controllers, recover the database from the corrupted indexes.
See EV100405 (EventID 467 AD database corruption) for a discussion related to this event.
The database engine cannot update certain indexes in Active Directory. This database problem occurs because of the problems with the code pages and language locales that are used in the Lsass.exe system process. See ME902396 for a hotfix applicable to Microsoft Windows Server 2003.

See the link to "EventID 467 from source ESE" for information on this event.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.