NTDS ISAM

18 events across 1 channel

EventTitleChannel
102Event ID 102Directory Service
103Event ID 103Directory Service
105Event ID 105Directory Service
326Event ID 326Directory Service
327Event ID 327Directory Service
330Event ID 330Directory Service
508NTDS (1008,D,0) NTDSA: A request to write to the file "C:\Windows\NTDS\edb.Directory Service
609Event ID 609Directory Service
611Event ID 611Directory Service
612Event ID 612Directory Service
614Event ID 614Directory Service
643Event ID 643Directory Service
700Event ID 700Directory Service
701Event ID 701Directory Service
702Event ID 702Directory Service
703Event ID 703Directory Service
704Event ID 704Directory Service
2001NTDS (1000,D,0) NTDSA: Shadow copy instance 1 freeze started.Directory Service

Event ID 102:

#
Provider
NTDS ISAM
Channel
Directory Service
Level
Informational

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Data_5
Data_6
Data_7
Data

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 102,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-06-13T05:38:05.5681978+00:00",
    "event_record_id": 349,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "NTDS",
    "Data_1": "896,P,98",
    "Data_2": "NTDSA: ",
    "Data_3": "0",
    "Data_4": "10",
    "Data_5": "00",
    "Data_6": "20348",
    "Data_7": "0000"
  },
  "message": "NTDS (896,P,98) NTDSA: The database engine (10.00.20348.0000) is starting a new instance (0)."
}

Event ID 103:

#
Provider
NTDS ISAM
Channel
Directory Service
Level
Informational

Fields #

NameDescription
Data

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 103,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2022-04-07T08:12:40.502491+00:00",
    "event_record_id": 38,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "NTDS",
      "648,T,97",
      "NTDSA: ",
      "0",
      "\n[1] 0.000002 +J(0)\n[2] 0.000450 -0.000425 (1) WT +J(0) +M(C:0K, Fs:23, WS:68K # 0K, PF:0K # 0K, P:0K)\n[3] 0.000197 +J(CM:0, PgRf:47, Rd:0/0, Dy:5/55, Lg:2011/41) +M(C:0K, Fs:10, WS:-120K # 0K, PF:-160K # 0K, P:-160K)\n[4] 0.000003 +J(0)\n[5] 0.028921 -0.018370 (9) WT +J(0) +M(C:96K, Fs:323, WS:364K # 0K, PF:360K # 0K, P:360K)\n[6] 0.000022 +J(0)\n[7] 0.000005 +J(0)\n[8] 0.007311 -0.000947 (12) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3624/2) +M(C:0K, Fs:112, WS:-40K # 0K, PF:-44K # 0K, P:-44K)\n[9] 0.000265 -0.000122 (1) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:66/1)\n[10] 0.000022 +J(0)\n[11] 0.001534 -0.000111 (2) WT +J(0)\n[12] 0.000021 +J(0) +M(C:0K, Fs:0, WS:-4K # 0K, PF:-4K # 0K, P:-4K)\n[13] 0.000208 +J(0)\n[14] 0.000988 +J(0) +M(C:0K, Fs:0, WS:-10248K # 0K, PF:-10264K # 0K, P:-10264K)\n[15] 0.000007 +J(0).",
      "0"
    ]
  },
  "message": ""
}

References #

Event ID 105:

#
Provider
NTDS ISAM
Channel
Directory Service
Level
Informational

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Data_5
Data_6
Data

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 105,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-06-13T05:38:05.5681978+00:00",
    "event_record_id": 350,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "NTDS",
    "Data_1": "896,D,0",
    "Data_2": "NTDSA: ",
    "Data_3": "0",
    "Data_4": "0",
    "Data_5": "\n[1] 0.001158 +J(0) +M(C:0K, Fs:118, WS:444K # 0K, PF:3524K # 364K, P:3524K)\n[2] 0.000748 +J(0) +M(C:16K, Fs:164, WS:648K # 320K, PF:316K # 316K, P:316K)\n[3] 0.000101 +J(0) +M(C:0K, Fs:5, WS:20K # 20K, PF:64K # 64K, P:64K)\n[4] 0.005071 -0.000301 (1) WT +J(0) +M(C:0K, Fs:158, WS:540K # 540K, PF:7724K # 7724K, P:7724K)\n[5] 0.000428 +J(0) +M(C:0K, Fs:3, WS:12K # 12K, PF:8K # 8K, P:8K)\n[6] 0.002799 +J(0) +M(C:0K, Fs:18, WS:68K # 68K, PF:16K # 16K, P:16K)\n[7] 0.031294 -0.024724 (21) WT +J(0) +M(C:0K, Fs:2579, WS:10296K # 10296K, PF:10260K # 10260K, P:10260K)\n[8] -\n[9] -\n[10] -\n[11] -\n[12] -\n[13] 0.025247 -0.018453 (22) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:616/1) +M(C:0K, Fs:8, WS:-10216K # 24K, PF:-10256K # 12K, P:-10256K)\n[14] 0.000025 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:4K # 0K, P:4K)\n[15] 0.001169 +J(0) +M(C:0K, Fs:821, WS:3276K # 0K, PF:68K # 0K, P:68K)\n[16] 0.000536 -0.000255 (1) WT +J(0) +M(C:0K, Fs:3, WS:4K # 0K, PF:0K # 0K, P:0K).",
    "Data_6": ""
  },
  "message": "NTDS (896,D,0) NTDSA: The database engine started a new instance (0). (Time=0 seconds) \r\n \r\nAdditional Data:\r\n  \r\n \r\nInternal Timing Sequence: \n[1] 0.001158 +J(0) +M(C:0K, Fs:118, WS:444K # 0K, PF:3524K # 364K, P:3524K)\n[2] 0.000748 +J(0) +M(C:16K, Fs:164, WS:648K # 320K, PF:316K # 316K, P:316K)\n[3] 0.000101 +J(0) +M(C:0K, Fs:5, WS:20K # 20K, PF:64K # 64K, P:64K)\n[4] 0.005071 -0.000301 (1) WT +J(0) +M(C:0K, Fs:158, WS:540K # 540K, PF:7724K # 7724K, P:7724K)\n[5] 0.000428 +J(0) +M(C:0K, Fs:3, WS:12K # 12K, PF:8K # 8K, P:8K)\n[6] 0.002799 +J(0) +M(C:0K, Fs:18, WS:68K # 68K, PF:16K # 16K, P:16K)\n[7] 0.031294 -0.024724 (21) WT +J(0) +M(C:0K, Fs:2579, WS:10296K # 10296K, PF:10260K # 10260K, P:10260K)\n[8] -\n[9] -\n[10] -\n[11] -\n[12] -\n[13] 0.025247 -0.018453 (22) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:616/1) +M(C:0K, Fs:8, WS:-10216K # 24K, PF:-10256K # 12K, P:-10256K)\n[14] 0.000025 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:4K # 0K, P:4K)\n[15] 0.001169 +J(0) +M(C:0K, Fs:821, WS:3276K # 0K, PF:68K # 0K, P:68K)\n[16] 0.000536 -0.000255 (1) WT +J(0) +M(C:0K, Fs:3, WS:4K # 0K, PF:0K # 0K, P:0K)."
}

Event ID 326:

#
Provider
NTDS ISAM
Channel
Directory Service
Level
Informational

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Data_5
Data_6
Data_7
Data_8
Data

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 326,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-06-13T05:38:05.5681978+00:00",
    "event_record_id": 352,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "NTDS",
    "Data_1": "896,D,50",
    "Data_2": "NTDSA: ",
    "Data_3": "1",
    "Data_4": "C:\\Windows\\NTDS\\ntds.dit",
    "Data_5": "0",
    "Data_6": "\n[1] 0.000008 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[2] 0.000552 -0.000348 (1) WT +J(0) +M(C:0K, Fs:19, WS:12K # 0K, PF:8K # 0K, P:8K)\n[3] 0.008614 -0.002602 (6) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:16, WS:56K # 0K, PF:108K # 0K, P:108K)\n[4] 0.000182 +J(0)\n[5] -\n[6] -\n[7] -\n[8] 0.001044 -0.000404 (2) CM -0.000320 (2) WT +J(CM:2, PgRf:2, Rd:4/2, Dy:0/0, Lg:0/0) +M(C:16K, Fs:47, WS:180K # 0K, PF:228K # 0K, P:228K)\n[9] 0.002021 -0.001536 (7) CM -0.001303 (7) WT +J(CM:7, PgRf:24, Rd:0/7, Dy:0/0, Lg:0/0) +M(C:-8K, Fs:29, WS:100K # 0K, PF:192K # 0K, P:192K)\n[10] 0.000790 -0.000618 (3) CM -0.000525 (3) WT +J(CM:3, PgRf:40, Rd:0/3, Dy:0/0, Lg:0/0) +M(C:-4K, Fs:5, WS:12K # 0K, PF:60K # 0K, P:60K)\n[11] 0.000033 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:4, WS:16K # 0K, PF:0K # 0K, P:0K)\n[12] 0.000044 +J(CM:0, PgRf:48, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:2, WS:8K # 0K, PF:0K # 0K, P:0K)\n[13] 0.0 +J(0)\n[14] 0.0 +J(0)\n[15] 0.000004 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0).",
    "Data_7": "0 0",
    "Data_8": "lgposAttach = 00000002:07E5:0268,\ndbv = 1568.20.0 (8920)"
  },
  "message": "NTDS (896,D,50) NTDSA: The database engine attached a database (1, C:\\Windows\\NTDS\\ntds.dit). (Time=0 seconds) \r\n \r\nSaved Cache: 0 0 \r\nAdditional Data: lgposAttach = 00000002:07E5:0268,\ndbv = 1568.20.0 (8920) \r\n \r\nInternal Timing Sequence: \n[1] 0.000008 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[2] 0.000552 -0.000348 (1) WT +J(0) +M(C:0K, Fs:19, WS:12K # 0K, PF:8K # 0K, P:8K)\n[3] 0.008614 -0.002602 (6) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:16, WS:56K # 0K, PF:108K # 0K, P:108K)\n[4] 0.000182 +J(0)\n[5] -\n[6] -\n[7] -\n[8] 0.001044 -0.000404 (2) CM -0.000320 (2) WT +J(CM:2, PgRf:2, Rd:4/2, Dy:0/0, Lg:0/0) +M(C:16K, Fs:47, WS:180K # 0K, PF:228K # 0K, P:228K)\n[9] 0.002021 -0.001536 (7) CM -0.001303 (7) WT +J(CM:7, PgRf:24, Rd:0/7, Dy:0/0, Lg:0/0) +M(C:-8K, Fs:29, WS:100K # 0K, PF:192K # 0K, P:192K)\n[10] 0.000790 -0.000618 (3) CM -0.000525 (3) WT +J(CM:3, PgRf:40, Rd:0/3, Dy:0/0, Lg:0/0) +M(C:-4K, Fs:5, WS:12K # 0K, PF:60K # 0K, P:60K)\n[11] 0.000033 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:4, WS:16K # 0K, PF:0K # 0K, P:0K)\n[12] 0.000044 +J(CM:0, PgRf:48, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:2, WS:8K # 0K, PF:0K # 0K, P:0K)\n[13] 0.0 +J(0)\n[14] 0.0 +J(0)\n[15] 0.000004 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0)."
}

Event ID 327:

#
Provider
NTDS ISAM
Channel
Directory Service
Level
Informational

Fields #

NameDescription
Data

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 327,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2022-04-07T08:12:33.396715+00:00",
    "event_record_id": 21,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "NTDS",
      "648,D,51",
      "NTDSA: ",
      "1",
      "C:\\Windows\\NTDS\\ntds.dit",
      "0",
      "\n[1] 0.000002 +J(0)\n[2] 0.0 +J(0)\n[3] 0.004132 -0.004125 (1) WT +J(0) +M(C:44K, Fs:53, WS:100K # 0K, PF:48K # 0K, P:48K)\n[4] 0.000001 +J(0)\n[5] 0.0 +J(0)\n[6] 0.001773 -0.000372 (6) WT +J(0) +M(C:-16K, Fs:6, WS:-8K # 0K, PF:-16K # 0K, P:-16K)\n[7] 0.000029 +J(0)\n[8] 0.000381 -0.000070 (2) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3902/2)\n[9] 0.001097 -0.000213 (6) WT +J(0) +M(C:0K, Fs:4, WS:-20K # 0K, PF:-20K # 0K, P:-20K)\n[10] 0.000127 +J(0)\n[11] 0.000069 +J(0) +M(C:0K, Fs:0, WS:-8K # 0K, PF:-8K # 0K, P:-8K).",
      "0 0",
      "lgposDetach = 00000001:00BA:00C2"
    ]
  },
  "message": ""
}

References #

Event ID 330:

#
Provider
NTDS ISAM
Channel
Directory Service
Level
Informational

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Data_5
Data_6
Data

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 330,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-06-13T05:38:05.5681978+00:00",
    "event_record_id": 353,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "NTDS",
    "Data_1": "896,D,2",
    "Data_2": "NTDSA: ",
    "Data_3": "C:\\Windows\\NTDS\\temp.edb",
    "Data_4": "0x22D8 (8920)",
    "Data_5": "8920 (0x22d8)",
    "Data_6": "9360 (0x2490)"
  },
  "message": "NTDS (896,D,2) NTDSA: The database [C:\\Windows\\NTDS\\temp.edb] format version is being held back to 8920 (0x22d8) due to application parameter setting of 0x22D8 (8920). Current default engine version: 9360 (0x2490)."
}

Event ID 508: NTDS (1008,D,0) NTDSA: A request to write to the file "C:\Windows\NTDS\edb.

#
Provider
NTDS ISAM
Channel
Directory Service
Level
3

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Data_5
Data_6

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 508,
    "version": 0,
    "level": 3,
    "task": 7,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-04-13T05:21:25.6807569+00:00",
    "event_record_id": 5434,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "NTDS",
    "Data_1": "1008,D,0",
    "Data_2": "NTDSA: ",
    "Data_3": "C:\\Windows\\NTDS\\edb.log",
    "Data_4": "10469376 (0x00000000009fc000)",
    "Data_5": "4096 (0x00001000)",
    "Data_6": "25"
  },
  "message": "NTDS (1008,D,0) NTDSA: A request to write to the file \"C:\\Windows\\NTDS\\edb.log\" at offset 10469376 (0x00000000009fc000) for 4096 (0x00001000) bytes succeeded, but took an abnormally long time (25 seconds) to be serviced by the OS. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem."
}

Event ID 609:

#
Provider
NTDS ISAM
Channel
Directory Service
Level
Informational

Fields #

NameDescription
Data

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 609,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2022-04-07T08:12:33.307771+00:00",
    "event_record_id": 14,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "NTDS",
      "648,D,50",
      "NTDSA: ",
      "C:\\Windows\\NTDS\\ntds.dit",
      "10",
      "0",
      "20348",
      "0",
      "10",
      "0",
      "20348",
      "0"
    ]
  },
  "message": ""
}

References #

Event ID 611:

#
Provider
NTDS ISAM
Channel
Directory Service
Level
Informational

Fields #

NameDescription
Data

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 611,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2022-04-07T08:12:33.375741+00:00",
    "event_record_id": 18,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "NTDS",
      "648,D,50",
      "NTDSA: ",
      "C:\\Windows\\NTDS\\ntds.dit",
      "PDNT_index",
      "datatable"
    ]
  },
  "message": ""
}

References #

Event ID 612:

#
Provider
NTDS ISAM
Channel
Directory Service
Level
Informational

Fields #

NameDescription
Data

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 612,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2022-04-07T08:12:33.381699+00:00",
    "event_record_id": 19,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "NTDS",
      "648,D,50",
      "NTDSA: ",
      "C:\\Windows\\NTDS\\ntds.dit"
    ]
  },
  "message": ""
}

References #

Event ID 614:

#
Provider
NTDS ISAM
Channel
Directory Service
Level
Warning

Fields #

NameDescription
Data

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 614,
    "version": 0,
    "level": 3,
    "task": 5,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2022-04-07T08:12:33.225114+00:00",
    "event_record_id": 6,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "NTDS",
      "648,D,50",
      "NTDSA: ",
      "C:\\Windows\\NTDS\\ntds.dit",
      "INDEX_00000003",
      "datatable"
    ]
  },
  "message": ""
}

References #

Event ID 643:

#
Provider
NTDS ISAM
Channel
Directory Service
Level
Warning

Fields #

NameDescription
Data

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 643,
    "version": 0,
    "level": 3,
    "task": 5,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2022-04-07T08:12:33.306746+00:00",
    "event_record_id": 13,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "NTDS",
      "648,D,50",
      "NTDSA: ",
      "C:\\Windows\\NTDS\\ntds.dit",
      "en-US",
      "00000001-57ee-1e5c-00b4-d0000bb1e11e",
      "0006020F0006020F",
      "00000001-57ee-1e5c-00b4-d0000bb1e11e",
      "0006040300060403"
    ]
  },
  "message": ""
}

References #

Event ID 700:

#
Provider
NTDS ISAM
Channel
Directory Service
Level
Informational

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Data

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 700,
    "version": 0,
    "level": 4,
    "task": 10,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-06-13T05:38:05.5681978+00:00",
    "event_record_id": 354,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "NTDS",
    "Data_1": "896,D,0",
    "Data_2": "NTDSA: ",
    "Data_3": "C:\\Windows\\NTDS\\ntds.dit"
  },
  "message": "NTDS (896,D,0) NTDSA: Online defragmentation is beginning a full pass on database 'C:\\Windows\\NTDS\\ntds.dit'."
}

Event ID 701:

#
Provider
NTDS ISAM
Channel
Directory Service
Level
Informational

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Data_5
Data_6
Data_7
Data_8
Data_9
Data

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 701,
    "version": 0,
    "level": 4,
    "task": 10,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-06-13T05:38:05.7402088+00:00",
    "event_record_id": 355,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "NTDS",
    "Data_1": "896,D,0",
    "Data_2": "NTDSA: ",
    "Data_3": "C:\\Windows\\NTDS\\ntds.dit",
    "Data_4": "0",
    "Data_5": "6/13/2026",
    "Data_6": "0",
    "Data_7": "1",
    "Data_8": "1",
    "Data_9": "3"
  },
  "message": "NTDS (896,D,0) NTDSA: Online defragmentation has completed a full pass on database 'C:\\Windows\\NTDS\\ntds.dit', freeing 0 pages. This pass started on 6/13/2026 and ran for a total of 0 seconds, requiring 1 invocations over 1 days. Since the database was created it has been fully defragmented 3 times."
}

Event ID 702:

#
Provider
NTDS ISAM
Channel
Directory Service
Level
Informational

Fields #

NameDescription
Data

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 702,
    "version": 0,
    "level": 4,
    "task": 10,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2022-04-07T08:29:41.505098+00:00",
    "event_record_id": 65,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "NTDS",
      "648,D,0",
      "NTDSA: ",
      "C:\\Windows\\NTDS\\ntds.dit",
      "4/7/2022",
      "1"
    ]
  },
  "message": ""
}

References #

Event ID 703:

#
Provider
NTDS ISAM
Channel
Directory Service
Level
Informational

Fields #

NameDescription
Data

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 703,
    "version": 0,
    "level": 4,
    "task": 10,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2022-04-07T08:29:41.520778+00:00",
    "event_record_id": 66,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "NTDS",
      "648,D,0",
      "NTDSA: ",
      "C:\\Windows\\NTDS\\ntds.dit",
      "10",
      "4/7/2022",
      "0",
      "2",
      "1",
      "1"
    ]
  },
  "message": ""
}

References #

Event ID 704:

#
Provider
NTDS ISAM
Channel
Directory Service
Level
Informational

Fields #

NameDescription
Data

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 704,
    "version": 0,
    "level": 4,
    "task": 10,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2022-04-07T08:30:15.270773+00:00",
    "event_record_id": 70,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "NTDS",
      "648,D,0",
      "NTDSA: ",
      "C:\\Windows\\NTDS\\ntds.dit"
    ]
  },
  "message": ""
}

References #

Event ID 2001: NTDS (1000,D,0) NTDSA: Shadow copy instance 1 freeze started.

#
Provider
NTDS ISAM
Channel
Directory Service
Level
4

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 2001,
    "version": 0,
    "level": 4,
    "task": 16,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-30T02:25:25.5872725+00:00",
    "event_record_id": 5631,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "NTDS",
    "Data_1": "1000,D,0",
    "Data_2": "NTDSA: ",
    "Data_3": "1"
  },
  "message": "NTDS (1000,D,0) NTDSA: Shadow copy instance 1 freeze started."
}