DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 886689 - Last Review: February 28, 2007 - Revision: 2.4

SYMPTOMS

When you use the Ntdsutil.exe command-line utility to perform an authoritative restore on a distinguished name (also known as DN) path, the operation is not successful. This problem occurs if the distinguished name path contains one or more extended characters. Ntdsutil cannot locate that path in the database of the Active Directory directory service. Therefore, the version numbers are not incremented on the appropriate objects by Ntdsutil. This problem occurs when you use Ntdsutil in Microsoft Windows Server 2003 or in Microsoft Windows 2000.

Moreover, regardless of whether the correct syntax is used to authoritatively restore distinguished name paths that contain extended characters, the Ntdsutil output echoes different characters in the distinguished name path in the message that it returns. For example, if you try to perform an authoritative restore against a distinguished name path that contains the letter "u" with an umlaut, Ntdsutil may return a message where the "u" with an umlaut is shown as an "e" with an acute accent. The following sample output from Ntdsutil illustrates the problem.

Note In this sample output, the extended characters are described in italic following the extended characters, instead of shown as they appear in the output.
C:\>ntdsutil.exe
ntdsutil.exe: authoritative restore
authoritative restore: restore object OU=testContu,DC=contoso,DC=com (where the "u" in "Contu" contains an umlaut)

Opening DIT database... Done.

The current time is MM-DD-YY HH:MM.SS.
Most recent database update occurred at MM-DD-YY HH:MM.SS.
Increasing attribute version numbers by 100000.

Counting records that need updating...
Records found: 0000000000
Could not find the object with the given DN: failed on component
"OU=testConte (where the trailing "e" in "testConte" contains an acute accent)

Authoritative Restore failed.
ntdsutil.exe: quit
In this sample output, the administrator requested that Ntdsutil perform an authoritative restore on the distinguished name path “OU=testContu,DC=contoso,DC=com,” where the "u" in "Contu" contains an umlaut. However, Ntdsutil tried to authoritatively restore a different distinguished name path, "OU=testConte,DC=contoso,DC=com,” where the trailing "e" in "testConte" contains an acute accent.

CAUSE

This problem may occur if the Ntdsutil Authoritative Restore command does not correctly convert extended characters in distinguished name paths to the equivalent Unicode characters. In these cases, Ntdsutil tries to authoritatively restore a distinguished name path that is different from the one that you typed. Typically, this alternative path does not exist. Therefore, the authoritative restore operation fails.

The incorrect conversion of extended characters in Ntdsutil applies not only to diacritical marks (accent marks) but also to whole character sets in the Greek, Korean, Cyrillian, and Asian writing systems.

WORKAROUND

To work around this problem, wrap distinguished name paths that contain extended characters and spaces with backslash-double-quotation-mark escape sequences. For example, the following output shows the Ntdsutil Authoritative Restore command and the messages that the operation returns:
C:\>ntdsutil "aut res" "res obj \"OU=testContextended character,DC=Contoso,DC=com\"" "q" "q"

authoritative restore: res obj "CN=testContextended character,DC=nttest,DC=Contoso,DC=com" Opening DIT database... Done.

The current time is MM-DD-YY HH:MM.SS.
Most recent database update occurred at MM-DD-YY HH:MM.SS
Increasing attribute version numbers by 100000.

Counting records that need updating...
Records found: 0000000001
Done.

Found 1 records to update.
Updating records...
Records remaining: 0000000000
Done.

Successfully updated 1 records.

Authoritative Restore completed successfully.

authoritative restore: q

ntdsutil: q
Notes
  • Ntdsutil will not correctly echo the extended characters in the distinguished name path that you are trying to authoritatively restore, even when the Authoritative Restore command contains the escape sequences. However, the authoritative restore operation will succeed.
  • The problem that this article describes only occurs when you manually type each command at the Ntdsutil command prompt. If you batch Ntdsutil command-line arguments together as a single command string, the authoritative restore operation will work without an escape sequence because Ntdsutil uses a different, Unicode-aware parser.
  • In Windows 2000, Ntdsutil does not have the restore object command. To restore both the container and the leaf objects, use the restore subtree command.

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows Server 2003. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
889100  (http://support.microsoft.com/kb/889100/ ) How to obtain the latest service pack for Windows Server 2003

STATUS

Microsoft has confirmed that this is a bug in the Microsoft products that are listed in the "Applies to" section.

REFERENCES

For additional information about diacritical marks, click the following article number to view the article in the Microsoft Knowledge Base:
98999  (http://support.microsoft.com/kb/98999/ ) Diacritical marks described and explained

APPLIES TO
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
Keywords: 
kbtshoot kbnofix kbprb kbbug KB886689
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support