none
NTDS.DIT database corruption errror!

    질문

  • Hi all,

    I have two domain controllers.

    Primary domain controller=MASCRP1XVDP2.MEDALLCORP.IN =10.200.2.26

    Additional domain controller=MASCRP1XVDP1.MEDALLCORP.IN=10.200.2.24

    All FSMO roles placed in  Primary domain controller.Now,i saw one event related NTDS.DIT database corruption on my primary domain controller and "ntds.dit" have lock symbol in my primary domain controller and "ntds.dit" without lock symbol in additional domain controller. primary domain controller previously restored from system state backup on january-04-2012. what can i do for rectify the database corruption error? please must see the attached screen captures in skydrive. please suggest me. Thanks in advance..

    NTDS Error


    Dhakshinamoorthy Balasubramanian


    2012년 4월 25일 수요일 오후 1:17

답변

  • Hi Dhakshinamoorthy,

    Set AnnounceFlagsto 5 on PDC role holder server. To do this, follow these steps:

    1. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
    2. In the right pane, right-click AnnounceFlags, and then click Modify.
    3. In Edit DWORD Value, type 5 in the Value data box, and then click OK.  

    Once done you need to restart the time service.Please check this link as mentioned before for detail info.

    Configuring the Windows Time service to use an external time source

    http://support.microsoft.com/kb/816042


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    2012년 5월 2일 수요일 오전 12:57

모든 응답

  • Hello,

    for semantic AD database check see http://support.microsoft.com/kb/315136 and http://technet.microsoft.com/en-us/library/cc770715(v=ws.10).aspx


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    2012년 4월 25일 수요일 오후 1:25
  • Have you checked the directory service event log for any warning or errors. Also ensure that ntds/sysvol folder is excluded from AV scan.You can check the integrity of AD database refer below link:http://support.microsoft.com/kb/258062

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    2012년 4월 25일 수요일 오후 1:41
  • For performing semantic analysis, you can refer link posted by Meinolf, but my question is did you exclude AD database from scanning by antivirus software, if not for future exclude Sysvol and Ntds folder from scanning to avoid corruption due to locking of the file during scan.

    You can also consider, performing offline defragmentation, might help you by rearranging the indices.

    Performing offline defragmentation of the Active Directory database http://support.microsoft.com/default.aspx?scid=kb;[LN];232122


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    2012년 4월 25일 수요일 오후 1:43
    중재자
  • Hello,

    You can proceed like others mentioned by performing:

    • A semantic database check
    • Disabling temporary security softwares you have on this DC
    • Performing an offline defragmentation

    If this does not help and you second DC is a GC server, you can proceed like that:

    • Transfer FSMO roles to the second DC
    • Demote the faulty DC
    • Promote again the demoted DC and make it a DNS and GC server
    • Transfer FSMO roles back to the new DC

    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    2012년 4월 25일 수요일 오후 1:53
  • Hi,

    I did the following,

    1. i transefered all roles to MASCRP1XVDP1.MEDALLCORP.IN=10.200.2.24

    2.demoted  MASCRP1XVDP2.MEDALLCORP.IN=10.200.2.26

    3.meta data cleanup ran

    4.now PDC is MASCRP1XVDP1.MEDALLCORP.IN=10.200.2.24 with all fsmo roles and dns/gc server

    5.i introduced new additional domain controller MASCRP1XVDP3.MEDALLCORP.IN=10.200.2.22

     

    now, i want to check both domain controller's health status.here i attached the dcdiag, repadmin results. please check and suggest me. thanks in advance.

     Domain Reports

    Kindly check for me. let me know if any updation need.


    Dhakshinamoorthy Balasubramanian

    2012년 4월 27일 금요일 오후 6:05
  • Hello,

    dcdiag from ADC is incomplete and from PDC contains lots of harddisk errors from the event viewer and incomplete also.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    2012년 4월 28일 토요일 오전 8:32
  • From the repadmin the replsum output there is no replication issue between the DC also the dcdiag does not report any error beside warning message related to HDD.An error was detected on device \Device\Harddisk2\DR8 during a paging operation on server MASCRP1XVDP1.Please check the system event log for the same for details erorr.Have a look at below link this may be helpful.
    http://www.eventid.net/display.asp?eventid=51&eventno=793&source=Disk&phase=1

    Also since you have transfered the FSMO role configure authorative time server on the PDC role holder server below is the KB article.http://support.microsoft.com/kb/816042

    To configure an NTP client: http://www.ehow.com/how_5981545_configure-windows-ntp-client.html

    Please also make sure that udp port 123 which as direction the chosen NTP server is not blocked.

    For other domain computers / servers, make sure that they are using NT5DS for time sync. More here: http://support.microsoft.com/kb/223184

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    2012년 4월 28일 토요일 오전 8:55
  •  Hi Sandesh Dubey and all,

    PDC configured as an authoritative time server. Now time service having no issue.

    Thanks to All.

     PDC as authoritative time server:

    *This document gives PDC time server on Windows server 2008 R2 Enterprise-64 Bit DomainController

    1.On the primary domain controller go to Regedit

    2.Backup the registry before you modify

    3.Go to the key=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time

    4.Go to Parameters

    Modify the Type value from NT5DS to NTP.

    Modify the Ntp server value from “time.windows.com,0x9” to “time.nist.gov,0x9

     

     

     

    5.Then restart the windows time service and resync.

     

    6.Do ping check for time.nist.gov


    Dhakshinamoorthy Balasubramanian


    2012년 4월 30일 월요일 오후 4:09
  • You mentioned that you have configured authorative and then you mentioned How can I make my PDC as authoritative time server?

    Anyways ensure that below parameters are set correctly on PDC server.

    Make sure that below parameters are set correctly on PDC Server.
    1.Change the server type to NTP
    2.Set AnnounceFlags to 5
    3.Enable NTPServer
    4.Specify the time sources.eg time.windows.com,0x1
    5Configure other paratmeters as well.

    Configure authorative time server on the PDC role holder server below is the KB article for the same.
    http://support.microsoft.com/kb/816042


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    2012년 4월 30일 월요일 오후 4:32
  • Hi sandesh,

    Except announce flags value remaining all are coorect. kindly check this value and let me know if any update need.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\Config


    Dhakshinamoorthy Balasubramanian

    2012년 4월 30일 월요일 오후 5:15
  • Hi Dhakshinamoorthy,

    Set AnnounceFlagsto 5 on PDC role holder server. To do this, follow these steps:

    1. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
    2. In the right pane, right-click AnnounceFlags, and then click Modify.
    3. In Edit DWORD Value, type 5 in the Value data box, and then click OK.  

    Once done you need to restart the time service.Please check this link as mentioned before for detail info.

    Configuring the Windows Time service to use an external time source

    http://support.microsoft.com/kb/816042


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    2012년 5월 2일 수요일 오전 12:57
  • Hello,

    normally there is no need to modify the registry in detail about setting the time configuration. w32tm from the command line is everything you need by default. Or do you have that much specific requirements to configure the time for your domain?

    http://msmvps.com/blogs/mweber/archive/2010/06/27/time-configuration-in-a-windows-domain.aspx

    See also the NOTE in http://technet.microsoft.com/en-us/library/cc773263(WS.10).aspx stating:

    "Many of the values in the W32Time section of the registry are used internally by W32Time to store information. These values should not be manually changed at any time. Do not modify any of the settings in this section unless you are familiar with the setting and are certain that the new value will work as expected. The following registry entries are located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\"


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    2012년 5월 2일 수요일 오전 6:52
  • Hi sandesh dubey,

    Today we had power down issue in my office. that time ADC only working,PDC went to down.PDC holds all FSMO roles,GC,DNS server. but that time no cname records working in LAN.After powering up the PDC all cname records are working.I need your support.I attached screenshots in skydrive. please have a look on this and suggest me.

    DCDIAG /TEST:DNS RESULT:


    Dhakshinamoorthy Balasubramanian

    2012년 5월 7일 월요일 오후 12:11
  • From the log the IP address 203.145.184.13 and 203.145.184.32 could not be resolved,ensure that it is correct forwarder since in dns forwarder its showing A timeout occured during....If it is not required remove the same and run the test again.


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    2012년 5월 8일 화요일 오전 7:27
  • Hi sandesh,

    Thanks for the reply. I deleted those two DNS forwarders. still i can see one error related "glue record" of old domain controller.



    mascrp1xvdp2.medallcorp.in and mascrp1vx1.medallcorp.in are old demoted domain controller entries. How can i resolve the "Glue record error" associated with mascrp1vx1.please see the attached screenshots in skydrive.

    Attachments

    Current Domain Controllers:

    MASCRP1XVDP1.medallcorp.in=Primary Domain Controller

    MASCRP1XVDP3.medallcorp.in=Additional Domain Controller


    Dhakshinamoorthy Balasubramanian



    2012년 5월 8일 화요일 오후 2:06