You want to check the integrity and semantics of the DIT file to verify there is no corruption or bad entries.

The Active Directory DIT file ( ntds.dit ) is implemented as a transactional database. Microsoft uses the ESE database (formerly called Jet) for Active Directory, which has been used for years in other products, such as Microsoft Exchange.

Since the Active Directory DIT ultimately is a database, it can suffer from many of the same issues that traditional databases do. The ntdsutil integrity command checks for any low-level database corruption and ensures that the database headers are correct and the tables are in a consistent state. It reads every byte of the database and can take quite a while to complete depending on how large your DIT file is. The time it takes is also greatly dependent on your hardware, but some early estimates from Microsoft for Windows 2000 put the rate at 2 GB an hour.

Whereas the ntdsutil integrity command verifies the overall structure and health of the database, the ntdsutil semantics command looks at the contents of the database. It will verify, among other things, reference counts, replication metadata, and security descriptors. If any errors are reported back, you can run go fixup ...