Get-ADDBAccount : Currency not on a record

[limp15000]

Hi,
Just tried your ps module on with the ntds.dit file from a 2012 R2 DC.
PS-Module is running on my Windows 10 1803 Enteprise.
Getting the following error :
et-ADDBAccount : Currency not on a record
t line:1 char:1
Get-ADDBAccount -DBPath .\ntdsnew.dit -BootKey $key -all

  + CategoryInfo          : OpenError: (:) [Get-ADDBAccount], EsentNoCurrentRecordException
  + FullyQualifiedErrorId : DBContextError,DSInternals.PowerShell.Commands.GetADDBAccountCommand
If you need more information I'll gladly help.
Thanks

[MichaelGrafnetter]

Hi @limp15000 , could you please share the stack trace of that exception? You can retrieve it using the following command:
$Error[0].Exception.StackTrace

[limp15000]

Hi,
Sorry for the delay, I was out of office.
$Error[0].Exception.StackTrace
at DSInternals.Common.Interop.RegistryHiveFileMapping.SetProcessPrivilege(String privilege, Boolean enabled)
at DSInternals.Common.Interop.RegistryHiveFileMapping..ctor(String hiveFilePath)
at DSInternals.DataStore.BootKeyRetriever.GetBootKey(String hiveFilePath)
at DSInternals.PowerShell.Commands.GetBootKeyCommand.BeginProcessing()

Best regards,
Thomas

[MichaelGrafnetter]

Hi @limp15000, this seems to be unrelated to the first error. It only says that Get-BootKey must be run under admin, as it needs to mount the registry hive.

[limp15000]

Oups, my bad... had just ran the get-key command...
Here is the correct output : System.Management.Automation.ParameterBinderBase.BindParameter(CommandParameterInternal parameter, CompiledCommandParameter parameterMetadata, ParameterBindingFlags flags)
at System.Management.Automation.CmdletParameterBinderController.BindParameter(CommandParameterInternal argument, MergedCompiledCommandParameter parameter, ParameterBindingFlags flags)
at System.Management.Automation.CmdletParameterBinderController.BindParameter(UInt32 parameterSets, CommandParameterInternal argument, MergedCompiledCommandParameter parameter, ParameterBindingFlags flags)
at System.Management.Automation.CmdletParameterBinderController.BindParameters(UInt32 parameterSets, Collection1 arguments) at System.Management.Automation.CmdletParameterBinderController.BindCommandLineParametersNoValidation(Collection1 arguments)
at System.Management.Automation.CmdletParameterBinderController.BindCommandLineParameters(Collection1 arguments) at System.Management.Automation.CommandProcessor.BindCommandLineParameters() at System.Management.Automation.CommandProcessor.Prepare(IDictionary psDefaultParameterValues) at System.Management.Automation.CommandProcessorBase.DoPrepare(IDictionary psDefaultParameterValues) at System.Management.Automation.Internal.PipelineProcessor.Start(Boolean incomingStream) at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(Object input) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(Object input) at System.Management.Automation.PipelineOps.InvokePipeline(Object input, Boolean ignoreInput, CommandParameterInternal[][] pipeElements, CommandBaseAst[] pipeElementAsts, CommandRedirection[][] commandRedirections, FunctionContext funcContext) at System.Management.Automation.Interpreter.ActionCallInstruction6.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)

[MichaelGrafnetter]

@limp15000 That still seems to be an unrelated exception. Please check the $Error variable for the exception with the "Currency not on a record" message (which should of course be "Currently...", but there is a bug in the MS library).

[limp15000]

Sorry I realise I'm not very good at debugging powershell :P

Get-ADDBAccount : Currency not on a record
At line:1 char:1

• Get-ADDBAccount -DBPath .\ntdsnew.dit -BootKey $key -all

•   + CategoryInfo          : OpenError: (:) [Get-ADDBAccount], EsentNoCurrentRecordException
    + FullyQualifiedErrorId : DBContextError,DSInternals.PowerShell.Commands.GetADDBAccountCommand
  
  

Set-Location : A positional parameter cannot be found that accepts argument 'passwords'.
At line:1 char:1
+

•   + CategoryInfo          : InvalidArgument: (:) [Set-Location], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.SetLocationCommand
  
  
  at Microsoft.Isam.Esent.Interop.Api.JetRetrieveColumn(JET_SESID sesid, JET_TABLEID tableid, JET_COLUMNID columnid, By
  

e[] data, Int32 dataSize, Int32 dataOffset, Int32& actualDataSize, RetrieveColumnGrbit grbit, JET_RETINFO retinfo)
at Microsoft.Isam.Esent.Interop.Api.RetrieveColumn(JET_SESID sesid, JET_TABLEID tableid, JET_COLUMNID columnid, Retri
veColumnGrbit grbit, JET_RETINFO retinfo)
at Microsoft.Database.Isam.ColumnAccessor.RetrieveColumn(JET_COLUMNID columnid, JET_coltyp coltyp, Boolean isAscii, I
t32 index)
at Microsoft.Database.Isam.ColumnAccessor.get_Item(Columnid columnid)
at DSInternals.DataStore.CursorExtensions.RetrieveColumnAsInt(Cursor cursor, Columnid columnId)
at DSInternals.DataStore.DirectorySchema.LoadColumnIdByAttributeName(Cursor cursor, String attributeName)
at DSInternals.DataStore.DirectorySchema.LoadAttributeProperties(Cursor dataTableCursor)
at DSInternals.DataStore.DirectorySchema..ctor(IsamDatabase database)
at DSInternals.DataStore.DirectoryContext..ctor(String dbFilePath, Boolean readOnly, String logDirectoryPath)
at DSInternals.PowerShell.Commands.ADDBCommandBase.BeginProcessing()

[joef12345]

I am receiving the same error however, I am running Server 2016 build 2551. Not sure if it matters, but I extracted the NTDS.dit file by booting a domain controller's (actually tried 2 different DCs) hyper-v replica to windows PE where I copied the ntds.dit file directly from the windows\ntds folder. I then dumped the system registry hive from the live DC. I then ran esentutl /p .\ntds.dit /8 /o to repair the file since the file was marked as not clean (Happened on both DCs)

Also, the NTDS.dit file is rather large at 312mb.

I received the errors below when I tried the get-addbaccount command on both the live DC, a test DC and a windows 10 1803 workstation.

`Get-ADDBAccount : Currency not on a record
At line:1 char:1

• Get-ADDBAccount -All -DBPath 'c:\pwaudit\ntds.dit' -BootKey $key | Fo ...

•   + CategoryInfo          : OpenError: (:) [Get-ADDBAccount], EsentNoCurrentRecordException
    + FullyQualifiedErrorId : DBContextError,DSInternals.PowerShell.Commands.GetADDBAccountCommand`
  
  

PS C:\pwaudit> $Error[0].Exception.StackTrace at Microsoft.Isam.Esent.Interop.Api.JetRetrieveColumn(JET_SESID sesid, JET_TABLEID tableid, JET_COLUMNID columnid, Byte[] data, Int32 dataSize, Int32 dataOffset, Int32& actualDataSize, RetrieveColumnGrbit grbit, JET_RETINFO retinfo) at Microsoft.Isam.Esent.Interop.Api.RetrieveColumn(JET_SESID sesid, JET_TABLEID tableid, JET_COLUMNID columnid, RetrieveColumnGrbit grbit, JET_RETINFO retinfo) at Microsoft.Database.Isam.ColumnAccessor.RetrieveColumn(JET_COLUMNID columnid, JET_coltyp coltyp, Boolean isAscii, Int32 index) at Microsoft.Database.Isam.ColumnAccessor.get_Item(Columnid columnid) at DSInternals.DataStore.CursorExtensions.RetrieveColumnAsInt(Cursor cursor, Columnid columnId) at DSInternals.DataStore.DirectorySchema.LoadColumnIdByAttributeName(Cursor cursor, String attributeName) at DSInternals.DataStore.DirectorySchema.LoadAttributeProperties(Cursor dataTableCursor) at DSInternals.DataStore.DirectorySchema..ctor(IsamDatabase database) at DSInternals.DataStore.DirectoryContext..ctor(String dbFilePath, Boolean readOnly, String logDirectoryPath) at DSInternals.PowerShell.Commands.ADDBCommandBase.BeginProcessing()

[MichaelGrafnetter]

Thanks @joef12345 and @limp15000 for testing. I have to admit that I have not tested DSInternals with the most recent builds of Windows Server 2016, nor 2019. Your error descriptions point to some changes in schema indexing. I wonder if you could share a test ntds.dit file with me (definitely not a production one!!!) to save me some time installing a new DC.

[joef12345]

Thanks Michael! I actually just built a test 2016 DC the other day! I will run a test on that DC to make sure the problem is preset and if so, I will send you the file.

Thanks again for all your help!!

[PrzemyslawKlys]

Just to say I use DSInternals on 2016 and it works fine. I use it in online mode thou. English. Maybe language is the problem?

[MichaelGrafnetter]

Thanks, @PrzemyslawKlys , for confirming that the online cmdlets work fine with 2016. The offline ones are trickier, as they leverage much more totally undocumented stuff.

[joef12345]

Michael,

I tested the NTDS.DIT file from my test domain controller (Server 2016) and it worked so we can rule out a problem with the schema. I am going to power down a DC and capture the NTDS file when the machine is correctly powered down rather than pulling the file from a replica. Unfortunately I will have to do this after hours so I won't have the results until later today.

[MichaelGrafnetter]

@joef12345 Thanks. Or you could create an IFM backup which uses Volume Shadow Copy on a running DC.
The bad thing is that if the problem persists, I probably won't be able to easily pinpoint the root cause on a DB with production data. I once performed complex debugging when I was allowed to connect remotely to customer's VM with ntds.dit and Visual Studio deployed, using TeamViewer. But most companies would never agree to something like this, for many understandable reasons.
And don't worry, I am also working on DSInternals in my free time, so my responses are sometimes quite delayed.

[joef12345]

Thanks Michael, I don't think I will be able to get permission to allow access to the live NTDS file. I am going to play around with the NTDS file and see if I can figure out what is going on and I will report back with my findings. Thanks again for all your hard work, it is greatly appreciated.

[PrzemyslawKlys]

I have a test vm with 2016. You can break it if you want? If it helps at all.

[joef12345]

I took the replica server and booted into windows with the network adapter disconnected and then properly shutdown the machine and then booted into PE and copied over the NTDS file. This time I did not receive any errors and it worked perfectly! I would have used the shadow copy trick but I for one did not want to do anything to our live DC and two felt I would run into the same problem since the database would be not be in a clean state. So we can confirm that everything still works in server 2016 fully patched. Thanks again!!

[MichaelGrafnetter]

Thanks @joef12345 . So the DB was not in a clean state and the API did not detect it. Strange. It seems like broken index then. I just wonder if you store transaction logs in the same directory as ntds.dit and if you copied them out together with ntds.dit before running DSInternals.