none
Active Directory Forest got deleted

    Question

  • Hello everybody, I have a huge problem, I was trying to have two user desktops connected to a server that I use as a network drive. I logged in with the Administrator user and password in both of the computers at the same time and made the connection well (I didn't know I had to make the connections with the users login) separately, and now all my Active Directory in my Domain Controller forest is gone, I don't know what happened. I actually can not log into windows server 2003 (my DC) without logging into Directory Services Restore Mode.

    Whenever I try to do it the standard way there is a System Error:
    * Security Accounts Manager initialization failed because of the following error: Directory service cannot start. Error Status: 0xc00002e1. Please click OK to shutdown this system and reboot into Directory Services Restore Mode, check the event log for more detailed information.

    Does somebody know what happened? and how to solve this. I'm trying not to go crazy right now. Appreciate your time.

    Pancho

    • Moved by Tiger Li Monday, June 11, 2012 12:45 AM (From:Network Infrastructure Servers)
    Friday, June 08, 2012 8:43 PM

Answers

  • Without backup, nothing can be done, but the backup you have can't be used as it is older than TSL period. Its convenient to start from the fresh & now manage it properly. Below link contains references where you can get more information of the DS & its management.

    http://awinish.wordpress.com/2011/07/02/adgpoguides/


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Proposed as answer by Meinolf WeberMVP Friday, June 15, 2012 9:32 AM
    • Marked as answer by pan_gar Monday, June 18, 2012 1:47 PM
    Friday, June 15, 2012 9:05 AM
    Moderator

All replies

  • Hello,

    this has nothing to do with the client, that is just coexistence. The major problem is the domain controller here. Please check the following articles:

    http://support.microsoft.com/kb/258062 http://support.microsoft.com/kb/240655 http://support.microsoft.com/kb/830574

    Hopefully you have current AD aware backup from the DC, no image/clone/snapshot, at least a system state backup to restore the server.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Saturday, June 09, 2012 10:42 AM
  • Hi,
    Some possible solutions:
    1 - Try to restore from backup.
    2 - Reboot in DSRM, and try to perform a DB repair an/or clean the log files
    and .chk file.
    3 - If you have more than 1 DC for that network, you can force the demotion
    on the dead DC and perform metadata cleanup, then you can re add the server
    again as additional DC.

    First please check if you find any event error in the Directory Restore
    mode.

    In general, the problem can occur if the permissions on the NTDS and Sysvol
    folder are incorrect. You can try these steps to check.

    1. Reboot the server and press F8. Choose Directory Services Restore Mode
    from the Menu.
    2. Check the physical location of the Winnt\NTDS\ folder.
    3. Check the permissions on the \Winnt\NTDS folder. The default
    permissions are:

    Administrators - Full Control
    System - Full Control

    4. Check the permissions on the Winnt\Sysvol\Sysvol share. The default
    permissions are:

    NTFS Permissions:
    Administrators - Full Control
    Authenticated Users - Read & Execute, List Folder Contents, Read
    Creator Owner - none
    Server Operators - Read & Execute, List Folder Contents, Read
    System - Full Control

    Note: You may not be able to change the permissions on these folders if he
    Active Directory database is unavailable because it is damaged, however it
    is best to know if the permissions are set correctly before you start the
    recovery process, as it may not be the database that is the problem.

    5. Check the permissions on the root of the C:\ drive or the drive where
    the NTDS folder is located. Default NTFS permissions are:

    Everyone = full control

    Note: In some cases it may be necessary to add the Administrator and
    System accounts with Full Control.

    6. Make sure there is a folder in the Sysvol share labeled with the
    correct name for the domain.

    In addition, you can also refer to the following article for more
    information.

    258007 Error Message: Lsass.exe - System Error : Security Accounts Manager
    http://support.microsoft.com/?id=258007

    Regards,

    Yan Li


    Yan Li

    TechNet Community Support

    Monday, June 11, 2012 7:02 AM
    Moderator
  • What made you conclude that your AD forest is gone, is it the only one DC in the forest/domain or you have another? How many domain are there? It looks to be AD database is corrupted & there can be numerous reason for corruption like abnormal shutdown of the DC, antivirus tries to lock the file during scan, virus attack etc.

    If you have valid system state backup, then you can restore the AD database but not with the backup passed TSL period.  Try to perform semantic database analysis as well as offline defrag to see if it resolves the issue followed by repair.

    http://support.microsoft.com/kb/232122

    http://support.microsoft.com/kb/315136

    http://www.petri.co.il/defragmenting-active-directory-database.htm


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, June 11, 2012 10:03 AM
    Moderator
  • Hi Awinish,

    I conlcuded that because when I open the Active Directory in the Domain Controller, the complete forest is gone, no Users, no Servers, no nothing. I have only one Domain Controller. I don't know what do you mean with the TSL period. I already restores the server with an old Backup that I have from a year ago, but it didn't do anything. I still trying to follow some of these Microsoft articles you guys have posted.

    I performed a Memcheck and it passed the test, so the memory should be working fine. Any other tip?

    Thanks for the reply.


    Pancho

    Tuesday, June 12, 2012 5:53 PM
  • Hello,

    TSL is tombstone lifetime, default 60 days up to 180 depending on the used OS version.

    If you don't have an AD aware backup, which kind of backup have you used to restore and how, you are lost with a single DC in the domain.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Tuesday, June 12, 2012 6:28 PM
  • Hi Yan Li,

    Thanks for the reply, I've checked the permissions on the NTDS and Sysvol folders, and followed steps 1-6 and everything is just as you said. I do not have that error that you typed though (258007 Error Message: Lsass.exe - System Error : Security Accounts Manager).


    Pancho

    Wednesday, June 13, 2012 5:53 PM
  • Hi Meinolf,

    I'm sorry that I need to ask questions like that, but I'm not a professional IT, I'm just trying to help an organization that helps donate medical systems to third world countries for their hospitals.

    I appreciate a lot your help.

    So the last backup that I have is from 05/17/2011 over a year now.

    I followed the Backup/Restore wizard and checked the box with the System State... at the end of the restoring process the Status was: Completed with skipped files. I opened the Event Log and found these errors:
     
    Event ID: 477
    Source: NTDS ISAM
    Description: NTDS (436) NTDSA:The log range read from the file: "C:\WINDOWS\NTDS\edb.log" at offset 4096(0x0000000000001000) for 843264(0x000cde00) bytes failed verification due to a range checksum mismatch. The read operation will fail with error -501(0xfffffe0b). If this condition persists then please restore the logfile from a previous backup.
     
    Event ID: 465
    Source: NTDS ISAM
    Description: NTDS (436) NTDSA: Corruption was detected during soft recovery in logfile C:C:\WINDOWS\NTDS\edb.log. The failing checksum record is located at position 8:0. Data not matching the log-file fill pattern first appeared in sector 1655. This logfile has been damaged and is unusable.
     
    Event ID: 300
    Source: NTDS ISAM
    Description: NTDS (436) NTDSA: The database engine is initianting recovery steps.
     
    Event ID: 452
    Source: NTDS ISAM
    Description: NTDS (436) NTDSA: Database C:\WINDOWS\NTDS\ntds.dit requires logfiles 573-573 in order to recover succesfully. Recovery could only locate logfiles starting at 583.
     
    Event ID: 454
    Source: NTDS ISAM
    Description: NTDS (436) NTDSA: Database recovery/rstore failed with unexpected error -543.
     
    Event ID: 1168
    Source: NTDS General
    Description: Internal error: An Active Directory error has occurred.
       Aditional Data
       Error value (decimal):
       -543
       Error value (hex):
       fffffde1
       Internal ID:
       40749
     
    Event ID: 1003
    Source: NTDS General
    Description: Active Directory could not be initialized.
       The operating system cannot recover from this error.
       User Action
          Restore the local domain controller from backup media.
       Additional Data
       Error value:
       -543 %2
     
    Other tests that has been performed and results:
     
    * Checksum @ntdsutil.exe
    Results: Operation terminated with error_1206 JET_errDatabaseCorrupted, Non database file or corrupted db
     
    * Integrity
    Results: Database is CORRUPTED
     
    * Semantic Database Analysis
        Semantic checker: Go
        Opening database Current.*** Error: DBInitializeJetDatabase failed with Jet Error     -543.
     
    As an additional information, I have this current files in C:\WINDOWS\NTDS\
    edb00246.log
    edb.chk
    edb.log
    ntds.dit
    ntds.INTEG.RAW
    res1.log
    res2.log


    Pancho

    Wednesday, June 13, 2012 6:11 PM
  • Does this below sound crazy or could it be ?

    Since I've got the database corrupted somehow, I was thinking if I can de-install the Domain Controller from the server, then re-install the DC again with the good files and then try to restore the server with the backup.bak I've got.


    Pancho

    Wednesday, June 13, 2012 9:08 PM
  • hi,

     If database corrupted, kindly do restore from System state backup otherwise u have to do demote and promote again. Just we came across this scenario.


    This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

    Wednesday, June 13, 2012 9:44 PM
  • Hi Yan li,, can i have your email address or contact number to discuss technical doubt. ?

    This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

    Wednesday, June 13, 2012 9:49 PM
  • Hi,

    >Hi Yan li,, can i have your email address or contact number to discuss technical doubt. ?

    I would like suggest you post thread in the forums when you have issues, as there are many guys here could help.

    If you want to get supportted from email or phone, please contanct email or phone support (not free).

    Regards,

    Yan Li


    Yan Li

    TechNet Community Support

    Thursday, June 14, 2012 4:39 AM
    Moderator
  • Hello,

    "So the last backup that I have is from 05/17/2011 over a year now. "

    What kind of backup have you used, this is still not clear for me. System state backup or full server backup or some specific files only?


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Thursday, June 14, 2012 6:53 AM
  • Is it a SBS server? With a year old backup it can't be used for the restoration of the AD & i'm afraid there is nothing can be done. Either, you go ahead & create everything from scratch or contact Microsoft support, if they can find any other way.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, June 14, 2012 7:11 AM
    Moderator
  • I did restore just the System State, so after I restarted the server... it couldn't logged on into Windows, because of the System Error:

    Isass.exe - Directory Service cannot start. Error Status: 0xc00002e1. Please clik OK to shutdown this system and reboot into Directory Services Restore Mode, check the event log for more detailed information.

    The errors that I found are listed above.


    Pancho

    Thursday, June 14, 2012 2:17 PM
  • I'm sorry Yan Li, I do have the Isass.exe - System Error that doesn't let me log in Windows Server 2003.

    Pancho

    Thursday, June 14, 2012 2:21 PM
  • Hi Awinish,

    This is a Windows Server 2003. So can you please explain to me what happens with the backup file after the tombstone lifetime is reached? or is it just that the Backup wizard can not accept backup files that old? Thanks


    Pancho

    Thursday, June 14, 2012 2:39 PM
  • Hi

    Please use below link for explanation on Tombstone and restoration

    http://windocuments.net/activedirectorydisasterrecovery.html


    Hope it helps __________________________ Best regards Sarang Tinguria MCP, MCSA, MCTS Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Thursday, June 14, 2012 2:45 PM
  • TSL is the Tombstone lifetime period in days for which deleted object such as users/computers/groups etc. will exists in the AD database before they are finally wiped. You can only restore a deleted objects in the AD, if its within the TSL period. In short TSL is the period for which object will be permanently deleted from the AD database & once its been deleted it can't be restored by any backup or tool.

    If you attempt to restore a backup which is older or passed TSL period then there will severe inconsistency to the AD database & environment both.

    http://msmvps.com/blogs/ulfbsimonweidner/archive/2010/02/10/adjusting-the-tombstone-lifetime.aspx


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, June 14, 2012 2:51 PM
    Moderator
  • I get this now, thank you guys!

    So I don't have any other good option but to uninstall the Domain Controller from the server and then re-Install it (so the Active Directory files are new and in a good shape) and configure the entire network again... or do you think I could do something else?

    what do you recommend me to do?


    Pancho

    Thursday, June 14, 2012 10:09 PM
  • Without backup, nothing can be done, but the backup you have can't be used as it is older than TSL period. Its convenient to start from the fresh & now manage it properly. Below link contains references where you can get more information of the DS & its management.

    http://awinish.wordpress.com/2011/07/02/adgpoguides/


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Proposed as answer by Meinolf WeberMVP Friday, June 15, 2012 9:32 AM
    • Marked as answer by pan_gar Monday, June 18, 2012 1:47 PM
    Friday, June 15, 2012 9:05 AM
    Moderator
  • Thanks guys, I will start from the fresh now. You have to do, what you have to do... right! Hope you have great time!


    Pancho

    Monday, June 18, 2012 1:51 PM