Issue
ntdsx fails to parse NTDS.dit collected from a running Domain Controller with:
ERROR Failed: Domain object with PEK not found in datatable
The file is collected successfully via raw NTFS, but the database is in a "dirty" state because the DC was still running when it was copied.
Root Cause
Live NTDS.dit files have uncommitted transaction logs. The ESE database needs recovery (replaying .log files) before the datatable can be properly read. Without recovery, the PEK (Password Encryption Key) record may be in a transaction log rather than committed to the database.
Fix Options
- Replay transaction logs — Apply
edb*.log files (collected alongside ntds.dit) to recover the database before parsing. This is what esentutl /r does on Windows.
- Implement ESE dirty page handling — Parse the database despite dirty state by handling the edge cases in the datatable scan.
- Use impacket/secretsdump approach — The Python
impacket library handles dirty NTDS databases successfully. Study their approach.
Evidence
- ntdsx scan finds and pairs the files correctly
- Bootkey extraction from SYSTEM hive succeeds
- datatable opens (1326 columns mapped)
- Failure is at "Pass 1: Finding domain object and PEK" — the PEK isn't visible in the dirty datatable
Context
This will be the primary use case — collectx always collects NTDS from running DCs via raw NTFS. The fix must handle dirty databases as the default case.
Issue
ntdsx fails to parse NTDS.dit collected from a running Domain Controller with:
The file is collected successfully via raw NTFS, but the database is in a "dirty" state because the DC was still running when it was copied.
Root Cause
Live NTDS.dit files have uncommitted transaction logs. The ESE database needs recovery (replaying .log files) before the datatable can be properly read. Without recovery, the PEK (Password Encryption Key) record may be in a transaction log rather than committed to the database.
Fix Options
edb*.logfiles (collected alongside ntds.dit) to recover the database before parsing. This is whatesentutl /rdoes on Windows.impacketlibrary handles dirty NTDS databases successfully. Study their approach.Evidence
Context
This will be the primary use case — collectx always collects NTDS from running DCs via raw NTFS. The fix must handle dirty databases as the default case.