semantic database analysis


Applies To: Windows Server 2003, Windows Server 2008, Windows Server 2003 R2, Windows Server 2012, Windows Server 2003 with SP1, Windows 8

Verifies the integrity of Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) database files with respect to Active Directory semantics. At the semantic checker: prompt, type any of the parameters that are listed under “Syntax.”

This is a subcommand of Ntdsutil and Dsdbutil. Ntdsutil and Dsdbutil are command-line tools that are built into Windows Server 2008 and Windows Server 2008 R2. Ntdsutil is available if you have the AD DS or AD LDS server role installed. Dsdbutil is available if you have the AD LDS server role installed. These tools are also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (

To use either of these tools, you must run them from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.


[get %d] [{go | go fixup}] [verbose %s] [{check quota | rebuild quota}]




check quota

Integrity-checks the quota-tracking table (object owner quotas). This command checks whether the quota table is correct by trying to open the quota-tracking table and getting column information for each predefined column name.

get %d

Retrieves record number %d from the Ntds.dit.


Starts the semantic analysis of the Ntds.dit or AD LDS instance with no fixup.

A report is generated and written to a file named Dsdit.dmp.n, in the current directory, where n is an integer that is incremented each time that you carry out the command.

go fixup

Starts the semantic checker with fixup.

verbose %s

Toggles verbose mode on or off.

rebuild quota

Forces asynchronous rebuild of the quota-tracking table.


A numeric variable, such as replication delay time periods.


Takes you back to the previous menu, or exits the utility.


Displays Help at the command prompt.


Displays Help at the command prompt.


  • Unlike the file management commands described earlier, which test the integrity of the database with respect to the ESENT database semantics, the semantic analysis analyzes the data with respect to Active Directory semantics. It generates reports on the number of records present, including deleted and phantom records.


    End users should not use this command except when Microsoft requests them to use it as an aid to fault diagnosis.

  • Before you can run the semantic database analysis subcommand, you need to set NTDS or an AD LDS instance as the active instance for Ntdsutil. For example, if the AD LDS instance that you want to restore is named instance1, type the following command at the ntdsutil: prompt before you run the authoritative restore subcommand:

    ac in instance1
  • You have to stop the AD DS or AD LDS service before you can run the semantic database analysis subcommand. To stop AD DS, click Start, click Server Manager. In the console tree, double-click Configuration, and then click Services. In the details pane, right-click Active Directory Domain Services, and then click Stop.

  • Ntdsutil does not correctly handle special characters, such as the apostrophe character ('), that you can enter at the ntdsutil: prompt at the command line. In some situations, there may be an alternative workaround. For more information, see local roles.


To turn on verbose mode logging, type the following command, and then press ENTER:

semantic checker: verbose on

To start the semantic analysis of the Ntds.dit with no fixup, type the following command, and then press ENTER:

semantic checker: go

Additional references

Command-Line Syntax Key



authoritative restore

configurable settings

DS behavior


group membership evaluation


LDAP policies

local roles

metadata cleanup

partition management


security account management

set DSRM password