none
Directory Service cannot start. Error status: 0xc00002e1 ......).

    Question

  • I have a crash in one of our Additional DC, it contains a
    very important software so I have to restore it from an image, when I did so it
    cant boot with an error (Security Account Manaegr initialization failed because
    of the following error: Directory Service cannot start. Error status:
    0xc00002e1 ......). I'm getting the same error even with F8 then, Directory
    Service Restore mode or Save Mode. The good thing is that I win to move all
    FSMO to the other DC and as well I Metaclean this server, so my Active
    directory is functioning normal and I have no problem if there is a way to
    force demoting this server. Note; I have SS backup but I don't know how to
    restore it since my server is not booting.


    Tuesday, March 13, 2012 12:59 PM

Answers

All replies

  • Try refering below links to understand this and to troubleshoot this problem.

    http://support.microsoft.com/kb/258062

    http://kb.acronis.com/content/1802

    Also there is a hot fix from microsoft for this. Check the below link which might help you.

    http://support.microsoft.com/kb/830574

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, March 13, 2012 1:16 PM
  • Foremost, restoring a domain controller either using snapshot or images is not recommended and it can break your AD by injecting USN roll back issues.Since, you have already seized the FSMO role, perform the metadata cleanup from the working DC.Never connect this DC back in the live environment as you have seized the FSMO role to other DC. Configure new DC as GC and DNS and point the clients/apps to the new DC for the DNS.

    Also, make sure new DC holding the PDC FSMO role is also a time server.

    Remove References of a Failed DC/Domain Or Perform Metadata Cleanup

    http://awinish.wordpress.com/2011/05/08/metadata-cleanup-of-a-domain-controller/

    Windows Time Server Role in AD Forest/Domain

    http://awinish.wordpress.com/2011/10/07/time-server-role-in-forestdomain/


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, March 13, 2012 1:53 PM
  • Hi,

    One thing I want to remind you that Active Directory is only supported from a System State backup. Active Directory does not support any method that restores a snapshot, whether it's Ghost, acronis iamge, etc of the operating system or the volume the operating system resides on.

    You said that, you have already transferred the FSMO and performed metadata cleanup.

    What is the next requirement? its not clear form your post.

    If you want remove failed DC objects from AD, you need to manually delete the failed DC entries from DNS, site and services and ADUC.

    Once you are done with above, repromote the server as a Domain controller.

    Note: If the RID, Schema, or Domain Naming FSMOs are seized, then the original domain controller must not be activated in the forest again. It is necessary to reinstall Windows if these servers are to be used again.


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, March 13, 2012 1:54 PM
  • Thanks all for your response,

    Actualy I have other two DCs and my AD is functioning well.

    This DC which crashed is not connected to the network anymore, and I need a way to demote it because I have a very important SW which we need it, so I will lost it if I install fresh windows.

    I can't login using F8 to Directory Service Restore mode nor Save Mode (same above message)!

    Note; I have System State backup but I don't know how to restore it since my server is not booting.

    Best Regards,

    Hashim

    Tuesday, March 13, 2012 2:36 PM
  • Hi,

    Now its clear.

    As the problem DC is not booting in DSRM, its recommended to connect to healthy DC and perform metadata cleanup to remove failed DC objets from AD. Also manually delete the failed DC entries from DNS, site and services and ADUC.

    For Metadata cleanup, follow this : http://msmvps.com/blogs/mweber/archive/2010/05/16/active-directory-metadata-cleanup.aspx

    Once you are  done with above you can reinstall the OS on failed DC and promote it as a DC/GC/DNS.

    Ensure the healthy DC is configured as GC and new PDC role owner as an Authorative time server: http://support.microsoft.com/kb/816042

    Also ensure the domain members are pointing to online/healthy DC for DNS name resolution.


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.



    Tuesday, March 13, 2012 2:47 PM
  • Thanks Mr. Abhijit,

    It seems my goal is still not fully clear to you, If I reinstall windows I will not be able to used the important software inside, so I have to reinstall it which will led to lossing its activation. So I need a way to just force demote the existing server without lossing installed windows nor software inside.

    Thanks,

    Hashim   

    Tuesday, March 13, 2012 3:25 PM
  • Hi,

    If you are not able to boot in DSRM, safe as well as in normal mode then its very difficult. For normal demotion or promotion, DC needs to be online and contact other DC.

    I do not see any other option for you except metadata cleanup, re-installation and re promotion.

    else to resolve the BSOD error, post the question in Setup Deployment forum: http://social.technet.microsoft.com/Forums/da-DK/winserversetup/threads

    Once you are able to login, you can restore system state but again if FSMOs are seized then no option.

    Note: If the RID, Schema, or Domain Naming FSMOs are seized, then the original domain controller must not be activated in the forest again. It is necessary to reinstall Windows if these servers are to be used again.


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    Tuesday, March 13, 2012 3:38 PM
  • You will not be able to reconnect this DC back to network as you have already seized FSMO role and even restoring this DC will not work because the FSMO role has been seized.

    You could have done something if you have not seized the FSMO role, but now its too late. If you don't remember the DSRM mode password then i guess you don't have choice left.


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, March 13, 2012 3:40 PM
  • Agreed with other if you are not able to login to DSRM mode it will be difficult to remove AD role.I would rcommend to check with other admins or the admin who have installed the DC,since DSRM mode password is set during DC promotion or check the documentation of DC promotion if any kept for reference.

    Once you are able to login to DC you can remove AD role and promote the server back as DC or use as member server.

    However it is strongly not recommended to install applications on DC.I would recommend in future seperate the role from DC.

    Note:since you have seized the role and done metadata clean,you just need to remove AD role once login to the server.


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, March 13, 2012 9:09 PM
  • I know the DSRM mode password, but the problem is that it is not booting to this mode (same above error as booting to other modes).

    I can boot to the WIN CD in Recovery mode, so is there any set of commands to demote in this way.

    Regards,

    Hashim

    Wednesday, March 14, 2012 6:31 AM
  • Hashim,

    AFAIK, I don't think you can demote a DC using Win CD.

    Moreover ,  I belive you are trying to demote the DC on which FSMO roles were already seized .  You can not bring it back to the domain.

    There are only two ways to demote a Domain contollers Forcefully.

    1. Using Dcpromo /forceremoval

    2.DSRM mode

    Refer Below link.

    http://blogs.technet.com/b/asiasupp/archive/2006/09/06/454327.aspx

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Wednesday, March 14, 2012 6:46 AM
  • Hi,

     
    Please try to perform a non-autoritative restore


    For details:


    Performing a Nonauthoritative Restore of a Domain Controller
    http://technet.microsoft.com/en-us/library/cc784922(WS.10).aspx


    Hope this helps!


    Best Regards
    Elytis Cheng

     


     


    Elytis Cheng

    TechNet Community Support

    Wednesday, March 14, 2012 8:40 AM
  • If you are not able to boot in DSRM modee I would also recommend to perform non authorative restore.

    Refer below link to perform non authortive restore.

    http://sandeshdubey.wordpress.com/2011/10/09/authoritative-non-authoritative-restore-in-windows2008/

    http://technet.microsoft.com/en-us/library/cc784922(v=ws.10).aspx

    Ensure that it is not connected to production environment since you have seized the FSMO role.Once you are able to login to DSRM mode remove the AD role.

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Thursday, March 15, 2012 12:29 AM