Error "The parameter is incorrect" Attempting to Import LDF File for Authoritative Restore

When Active Directory objects on a domain controller are deleted or become corrupted, you may have to restore them using a system state backup that contains the Active Directory database. You may then have to use the Ntdsutil.exe tool to mark the restored versions of these objects as authoritative.

On a domain controller that is running at least Windows Server 2003 with Service Pack 1 or later Windows versions, the Ntdsutil tool writes back links for the objects that are restored authoritatively into LDF files.

 If you have enabled credential roaming for some users which need to be restored, following error may occur:

ldifde -i -k -f ar_xxxx.ldf
Connecting to "dc01.contoso.com"
Logging in as current user using SSPI
Importing directory from file "ar_20090710-084606_links_adb.contoso.com.ldf"
Loading entries...............................
Add error on line <xxx>: Invalid Syntax
The server side error is "The parameter is incorrect."
28 entries modified successfully.
An error has occurred in the program
No log files were written.  In order to generate a log file, please specify the log file path via the -j option.

The problem is caused by an incorrect format of the LDF file created when doing the authoritative restore in the Ntdsutil tool. 

The LDF file contains a syntax error in line modifying following attributes:

• msPKIDPAPIMasterKeys
• msPKIAccountCredentials
• msPKIRoamingTimeStamp

 These attributes can be found on user objects, where credential roaming is enabled.

You can use the following script to remove the msPKI attributes that are causing the problem from the LDF file. 

---- remove_msPKI_entries.vbs ----

Const forReading = 1
Const forWriting = 2

Const insideEntry = 0
Const foundNewEntry = 1

Dim  deleteEntry
Dim  strNextLine
Dim  state
Dim state1
Dim  strPath

Dim  strLdifdeFileName
Dim  strLdifdeFileFullPath

Dim  strNewLdifdeFileName
Dim strNewLdifdeFileFullPath

Dim  strtempFileName
Dim strtempFileFullPath

If wscript.Arguments.Count <> 2 Then
 wscript.echo( "=======================================================================================" )
 wscript.echo( "Usage: cscript remove-msPKI-attrs.vbs <old_ldifde_back_links_file> <new_ldifde_back_links_file>" )
 wscript.echo( "" )
 wscript.echo( "Example: cscript remove-msPKI-attrs.vbs ar_20091102-135937_links_mydom.com.ldf new_ar_20091102-135937_links_mydom.com.ldf")
 wscript.echo( "" )
 wscript.echo( "msPKIDPAPIMasterKeys, msPKIAccountCredentials, msPKIRoamingTimeStamp back links will be deleted from")
 wscript.echo( "<old_ldifde_back_links_file> and remaining entries will be written into <new_ldifde_back_links_file>" )
 wscript.echo( "" )
 wscript.echo( "NOTE: If <new_ldifde_back_links_file> is already existing in current directory... its contents will be overwritten" )
 wscript.echo( "=======================================================================================" )
 wscript.Quit -1
End If 

Set objFSO    =  CreateObject("Scripting.FileSystemObject")

'All the files assumed to be in current directory
strPath    = "."

strLdifdeFileName   = wscript.Arguments(0)
strLdifdeFileFullPath  = objFSO.BuildPath(strPath, strLdifdeFileName)

strNewLdifdeFileName   = wscript.Arguments(1)
strNewLdifdeFileFullPath = objFSO.BuildPath(strPath, strNewLdifdeFileName)

strtempFileName    = objFSO.GetTempName
strtempFileFullPath  = objFSO.BuildPath(strPath, strtempFileName) 

'Open the given ldifde file for reading
Set objLdifdeFile  = objFSO.OpenTextFile( strLdifdeFileFullPath, forReading )

'Open a temporary file for writing
Set objNewLdifdeFile  = objFSO.OpenTextFile( strNewLdifdeFileFullPath, forWriting, true ) 

state =   foundNewEntry
Do Until objLdifdeFile.AtEndOfStream
 
 strNextLine  = objLdifdeFile.Readline

 If state = foundNewEntry Then
  state   = insideEntry
  set objtempFile  =  objFSO.OpenTextFile( strtempFileFullPath, forWriting, true)
 End If

 objtempFile.WriteLine( strNextLine ) 

 If StrComp( strNextLine, "-" ) = 0 Then
  state   = foundNewEntry
  objtempFile.Close

  set objtempFile =  objFSO.OpenTextFile( strtempFileFullPath, forReading )

  state1    = foundNewEntry
  deleteEntry  = 0

  Do Until objtempFile.AtEndOfStream

   strNextLine = objtempFile.ReadLine

   If state1 = insideEntry Then

    state1  = foundNewEntry

    If Instr( strNextLine, "msPKIDPAPIMasterKeys") <> 0 Then
     deleteEntry  = 1
    ElseIf Instr( strNextLine, "msPKIAccountCredentials" ) <> 0 Then
     deleteEntry  = 1
    ElseIf Instr( strNextLine, "msPKIRoamingTimeStamp" ) <> 0 Then
     deleteEntry  = 1
    End If

   ElseIf InStr( strNextLine, "ChangeType:" ) = 0 Then
    state1  = insideEntry
   End If

  Loop

  objtempFile.Close
  set objtempFile  =  objFSO.OpenTextFile( strtempFileFullPath, forReading )

  If deleteEntry = 0 Then

   Do Until objtempFile.AtEndOfStream
    StrNextLine   =  objtempFile.ReadLine
    objNewLdifdeFile.WriteLine( strNextLine )
   Loop
  End If

  objtempFile.Close
  objFSO.DeleteFile( strtempFileFullPath )
 End If

Loop

objLdifdeFile.Close
objNewLdifdeFile.Close 

--------

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.