none
ISASS.exe-System Error SAM Initialization Failed(Secondary DC- 2003R2)

    Question

  • ISASS.exe-System Error

    LSASS.EXE - System Error, security accounts manager initialization failed because of the following error: Directory Services cannot start. Error status 0xc00002e1.Please click OK to shutdown this system and reboot into Directory Services Restore Mode,

    Please note that the SERVER running 2003r2 (secondary DC, holds only Global Catalog). i can login to the server using Directory services restore mode (safe Mode) and tried to perform offline defragmentation of the AD database, also using metadata cleanup with no luck. can someone help me urgently. 

    Domain Controller 2008 Server holds all FSMO roles.

    Wednesday, November 20, 2013 6:53 AM

Answers

  • First step run dcpromo /forceremoval on the DC that had the disk faliure, you can do this in DSRM:

    Follow "the domain controller cannot start in normal mode" steps in Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server:
    http://support.microsoft.com/kb/332199/en-us

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    • Marked as answer by premrajs Saturday, November 30, 2013 12:15 PM
    Wednesday, November 20, 2013 8:15 PM
  • Yes done it by changing the registry

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions

    In the right-pane, changed ProductType to Type ServerNT in the Value data box.

    Now the server is up on normal mode as member server.


    • Marked as answer by premrajs Saturday, November 30, 2013 12:22 PM
    Thursday, November 21, 2013 8:51 AM

All replies

  • You said that you could not perform an offline defrag of the database.

    Following the steps in this article below (on what step did you run into an issue and what error message)?:
    Compact the directory database file (offline defragmentation):
    http://technet.microsoft.com/en-us/library/cc772931(v=ws.10).aspx


    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Wednesday, November 20, 2013 6:59 AM
  • 

    Thanks Chirstoffer,

    i am getting the below error.

    Error:DBInitializeJetDatabase failed with [Jet Error-1018].

    Error while Doing Soft Recovery.

    Wednesday, November 20, 2013 7:41 AM
  • -1018 is == There is a checksum error on a database page. Is this a physical server, if so try determine if a disk/raid controller or disks are failing? (replace those) and restore a system state backup.

    If you don't have any backup of this DC - You have to remove it from AD and/or rebuild it.

    follow the following article on how you can remove the failed DC from AD:
    http://support.microsoft.com/kb/216498


    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Wednesday, November 20, 2013 7:58 AM
  • Thanks christoffer,

    yes you are exactly correct. the hard disk failed yesterday and shows green color after rebuild, however i have changed the hard disk now then i will try to rebuild.

    i need your support till end also appreciate your immediate reply and support.

    Regards

    Wednesday, November 20, 2013 12:06 PM
  • If you have a second DC then promote a second DC as a GC.  If not all DC's are GC's and you have a trust relationship then avoid the Infrastructure Master as a GC.
    http://support.microsoft.com/kb/313994?wa=wsignin1.0

    Do a metadata cleanup of the lost DC
    http://blogs.dirteam.com/blogs/paulbergson/archive/2009/06/09/active-directory-cleanup-the-most-common-question-i-see.aspx

    Promote the DC


    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, November 20, 2013 1:05 PM
  • Hi Paul,

    Please note that the failure occured in secondary DC which holds GC, i don have other DC to promote GC. only way is to promote DC as GC with IM. please advise me.

    Now the hard disk has been changed and rebuild done so again i am doing the offline defrag.

    Wednesday, November 20, 2013 1:44 PM
  • You can safely run the GC and IM on the same DC as long as all DCs in the domain are GCs, or if you only have one domain it doesn't matter at all

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Wednesday, November 20, 2013 1:52 PM
  • Thanks Chistoffer, i have did the same thanks for the clarification.

    again i am getting the error perfomin metadata cleanup

    ntdsutil: metadata cleanup
    metadata cleanup: connections
    server connections: connect to server Masterdc.XXXX.XXXservername
    Binding to masterdc.XXXX.XXX ...
    DsBindW error 0x6ba(The RPC server is unavailable.)

    Wednesday, November 20, 2013 2:12 PM
  • RPC services are running.
    Wednesday, November 20, 2013 2:17 PM
  • You should run ntdsutil from the healthy dc and connect to the healthy dc (e.g. the dc you intend to keep) - also make sure that the healthy DC only has it self as DNS Server in the TCP/IP DNS Settings.

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Wednesday, November 20, 2013 2:21 PM
  • Yes i have tried from Healthy DC and the below error occurred

    DsBindW error 0x6d9(There are no more endpoints available from the endpoint mapp
    er.)

    can i give you Teamviewer access to you.
    Wednesday, November 20, 2013 2:37 PM
  • Just noticed that you're DC that you intend to keep (e.g. the one you promoted to GC) is running Windows Server 2008 right? If that's the case you can just go into the "Domain Controllers" OU and delete the failed server and it should do metadata clean up for you. IMPORTENT: Note you can never reintroduce this server/domain controller into AD again without reinstalling it.

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Wednesday, November 20, 2013 2:37 PM
  • Yes! you are correct DC is 2008, so i am trying to delete with below warning. shall i do it??

    Warning! to properly remove the DC from AD DS domain, You should run DCPromo on the DC that you want to delete

    This domain Controller is permanently offline and can no longer be demoted using the active directory domain services installtion wizard(DCPROMO)


    Wednesday, November 20, 2013 2:46 PM
  • please confirm to perform deleting from DC OU.
    Wednesday, November 20, 2013 2:58 PM
  • As long you are OK with re-installing the failing server OK (if you have files etc on it you can of course copy those out before you re-install the operating system?)

    You can click Yes and confirm the delete - but at the same time you should agree that you have given up all attempts to bring the failed server back into AD.


    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Wednesday, November 20, 2013 3:09 PM
  • offcourse i have huge data on that server, i cannot perform re installation of OS for time being.

    yes i have performed all attempts to bring the failed server back into AD.

    my question is? whether i can add the failed server as member server after deleting and i can promote other server as ADC. coz i have huge data in that server should be given access to the AD users.

    is it possible to dcpromo the failed server once doing the delete action?

    Wednesday, November 20, 2013 3:19 PM
  • after deleting thru DC OU, i can login as usual without the SAM error??

    waiting to your reply to perform please.

    Wednesday, November 20, 2013 3:33 PM
  • OK if you can not re-install the server then you can't use the delete option.

    1. You have to perform metadata cleanup the old way (e.g. you can NOT delete the computer object for the DC in the domain controllers OU) peer http://support.microsoft.com/kb/216498.

    2. On the failed DC you have to run dcpromo /forceremoval - it should now be a member server

    3. Yes you should be able to promote it back - but I would not do so, what if other things than the database became corrupted on the server, I would move the data and re-install the server


    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog


    Wednesday, November 20, 2013 3:39 PM
  • yes i too prefer to delete,
    i cannot perform dcpromo /forceremoval thru DSRM too.

    also i have doubt that whether, is it possible to login as usual without the error,

    1. When i can do backup the data.

    2. or i should do backup before delete.

    3. even i cannot copy some data to other locations thru Directory Services Restore Mode

    Wednesday, November 20, 2013 3:52 PM
  • First step run dcpromo /forceremoval on the DC that had the disk faliure, you can do this in DSRM:

    Follow "the domain controller cannot start in normal mode" steps in Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server:
    http://support.microsoft.com/kb/332199/en-us

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    • Marked as answer by premrajs Saturday, November 30, 2013 12:15 PM
    Wednesday, November 20, 2013 8:15 PM
  • coudn't able to run dcpromo /forceremoval on DSRM, getting the below error 

    This computer is running in the safe mode,Please restart the computer in Normal Mode before installing the AD.

    Thursday, November 21, 2013 5:18 AM
  • Hi,

    Try this,

    modify the value of the following registry entry:

    HKLM\System\CurrentControlSet\Control\Lsa\DSRMAdminLogonBehavior

    it should be 0 by default change it to 1.

    Thanks & Regards

    Ashish Gaur



    Ashish Gaur

    Thursday, November 21, 2013 5:30 AM
  • yes i tried that too,

    DSRMALB- DWORD not found so i have created and tried with no use.

    Thursday, November 21, 2013 5:50 AM
  • Hi Christoffer,

    Before deleting the failed computer object thru DC OU, please note that there is no communication between DC and failed secondary DC, even i couldn't perform any of the above discussed method, then how it works out by deleting the computer object on DC OU?.

    Thursday, November 21, 2013 6:38 AM
  • It dosen't have to be any communication between the servers to perform this - How ever if you go down this path you can never get thje failed DC back in again, not even easly as a member server, you _have_ to re-install it.

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Thursday, November 21, 2013 8:40 AM
  • Yes done it by changing the registry

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions

    In the right-pane, changed ProductType to Type ServerNT in the Value data box.

    Now the server is up on normal mode as member server.


    • Marked as answer by premrajs Saturday, November 30, 2013 12:22 PM
    Thursday, November 21, 2013 8:51 AM
  • Hi Christoffer, can you guide me to bring back as DC.
    Thursday, November 21, 2013 9:11 AM
  • I don't recommend that, I recommend that you install a new machine and promote it as a DC instead.

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Thursday, November 21, 2013 9:17 AM
  • Hi Christoffer,

    Removed AD from the failed server and become standalone server. do you have any script to change the permissions to the folders, files.  

    Thursday, November 21, 2013 1:06 PM
  • I'm not following, are you having a standalone server or a member server?

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Thursday, November 21, 2013 1:22 PM