Active Directory Forest got deleted
-
2012年6月8日 20:43Hello everybody, I have a huge problem, I was trying to have two user desktops connected to a server that I use as a network drive. I logged in with the Administrator user and password in both of the computers at the same time and made the connection well (I didn't know I had to make the connections with the users login) separately, and now all my Active Directory in my Domain Controller forest is gone, I don't know what happened. I actually can not log into windows server 2003 (my DC) without logging into Directory Services Restore Mode.
Whenever I try to do it the standard way there is a System Error:
* Security Accounts Manager initialization failed because of the following error: Directory service cannot start. Error Status: 0xc00002e1. Please click OK to shutdown this system and reboot into Directory Services Restore Mode, check the event log for more detailed information.
Does somebody know what happened? and how to solve this. I'm trying not to go crazy right now. Appreciate your time.Pancho
- 已移动 Tiger LiModerator 2012年6月11日 0:45 (From:Network Infrastructure Servers)
全部回复
-
2012年6月9日 10:42
Hello,
this has nothing to do with the client, that is just coexistence. The major problem is the domain controller here. Please check the following articles:
http://support.microsoft.com/kb/258062 http://support.microsoft.com/kb/240655 http://support.microsoft.com/kb/830574
Hopefully you have current AD aware backup from the DC, no image/clone/snapshot, at least a system state backup to restore the server.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
-
2012年6月11日 7:02版主
Hi,
Some possible solutions:
1 - Try to restore from backup.
2 - Reboot in DSRM, and try to perform a DB repair an/or clean the log files
and .chk file.
3 - If you have more than 1 DC for that network, you can force the demotion
on the dead DC and perform metadata cleanup, then you can re add the server
again as additional DC.First please check if you find any event error in the Directory Restore
mode.
In general, the problem can occur if the permissions on the NTDS and Sysvol
folder are incorrect. You can try these steps to check.
1. Reboot the server and press F8. Choose Directory Services Restore Mode
from the Menu.
2. Check the physical location of the Winnt\NTDS\ folder.
3. Check the permissions on the \Winnt\NTDS folder. The default
permissions are:
Administrators - Full Control
System - Full Control
4. Check the permissions on the Winnt\Sysvol\Sysvol share. The default
permissions are:
NTFS Permissions:
Administrators - Full Control
Authenticated Users - Read & Execute, List Folder Contents, Read
Creator Owner - none
Server Operators - Read & Execute, List Folder Contents, Read
System - Full Control
Note: You may not be able to change the permissions on these folders if he
Active Directory database is unavailable because it is damaged, however it
is best to know if the permissions are set correctly before you start the
recovery process, as it may not be the database that is the problem.
5. Check the permissions on the root of the C:\ drive or the drive where
the NTDS folder is located. Default NTFS permissions are:
Everyone = full control
Note: In some cases it may be necessary to add the Administrator and
System accounts with Full Control.
6. Make sure there is a folder in the Sysvol share labeled with the
correct name for the domain.
In addition, you can also refer to the following article for more
information.
258007 Error Message: Lsass.exe - System Error : Security Accounts Manager
http://support.microsoft.com/?id=258007
Regards,
Yan Li
Yan Li
TechNet Community Support
-
2012年6月11日 10:03版主
What made you conclude that your AD forest is gone, is it the only one DC in the forest/domain or you have another? How many domain are there? It looks to be AD database is corrupted & there can be numerous reason for corruption like abnormal shutdown of the DC, antivirus tries to lock the file during scan, virus attack etc.
If you have valid system state backup, then you can restore the AD database but not with the backup passed TSL period. Try to perform semantic database analysis as well as offline defrag to see if it resolves the issue followed by repair.
http://support.microsoft.com/kb/232122
http://support.microsoft.com/kb/315136
http://www.petri.co.il/defragmenting-active-directory-database.htm
Awinish Vishwakarma - MVP - Directory Services
My Blog: awinish.wordpress.com Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
2012年6月12日 17:53
Hi Awinish,
I conlcuded that because when I open the Active Directory in the Domain Controller, the complete forest is gone, no Users, no Servers, no nothing. I have only one Domain Controller. I don't know what do you mean with the TSL period. I already restores the server with an old Backup that I have from a year ago, but it didn't do anything. I still trying to follow some of these Microsoft articles you guys have posted.
I performed a Memcheck and it passed the test, so the memory should be working fine. Any other tip?
Thanks for the reply.
Pancho
-
2012年6月12日 18:28
Hello,
TSL is tombstone lifetime, default 60 days up to 180 depending on the used OS version.
If you don't have an AD aware backup, which kind of backup have you used to restore and how, you are lost with a single DC in the domain.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
-
2012年6月13日 17:53
Hi Yan Li,
Thanks for the reply, I've checked the permissions on the NTDS and Sysvol folders, and followed steps 1-6 and everything is just as you said. I do not have that error that you typed though (258007 Error Message: Lsass.exe - System Error : Security Accounts Manager).
Pancho
-
2012年6月13日 18:11
Hi Meinolf,
I'm sorry that I need to ask questions like that, but I'm not a professional IT, I'm just trying to help an organization that helps donate medical systems to third world countries for their hospitals.
I appreciate a lot your help.
So the last backup that I have is from 05/17/2011 over a year now.
I followed the Backup/Restore wizard and checked the box with the System State... at the end of the restoring process the Status was: Completed with skipped files. I opened the Event Log and found these errors:
Event ID: 477
Source: NTDS ISAM
Description: NTDS (436) NTDSA:The log range read from the file: "C:\WINDOWS\NTDS\edb.log" at offset 4096(0x0000000000001000) for 843264(0x000cde00) bytes failed verification due to a range checksum mismatch. The read operation will fail with error -501(0xfffffe0b). If this condition persists then please restore the logfile from a previous backup.
Event ID: 465
Source: NTDS ISAM
Description: NTDS (436) NTDSA: Corruption was detected during soft recovery in logfile C:C:\WINDOWS\NTDS\edb.log. The failing checksum record is located at position 8:0. Data not matching the log-file fill pattern first appeared in sector 1655. This logfile has been damaged and is unusable.
Event ID: 300
Source: NTDS ISAM
Description: NTDS (436) NTDSA: The database engine is initianting recovery steps.
Event ID: 452
Source: NTDS ISAM
Description: NTDS (436) NTDSA: Database C:\WINDOWS\NTDS\ntds.dit requires logfiles 573-573 in order to recover succesfully. Recovery could only locate logfiles starting at 583.
Event ID: 454
Source: NTDS ISAM
Description: NTDS (436) NTDSA: Database recovery/rstore failed with unexpected error -543.
Event ID: 1168
Source: NTDS General
Description: Internal error: An Active Directory error has occurred.
Aditional Data
Error value (decimal):
-543
Error value (hex):
fffffde1
Internal ID:
40749
Event ID: 1003
Source: NTDS General
Description: Active Directory could not be initialized.
The operating system cannot recover from this error.
User Action
Restore the local domain controller from backup media.
Additional Data
Error value:
-543 %2
Other tests that has been performed and results:
* Checksum @ntdsutil.exe
Results: Operation terminated with error_1206 JET_errDatabaseCorrupted, Non database file or corrupted db
* Integrity
Results: Database is CORRUPTED
* Semantic Database Analysis
Semantic checker: Go
Opening database Current.*** Error: DBInitializeJetDatabase failed with Jet Error -543.
As an additional information, I have this current files in C:\WINDOWS\NTDS\
edb00246.log
edb.chk
edb.log
ntds.dit
ntds.INTEG.RAW
res1.log
res2.logPancho
-
2012年6月13日 21:08
Does this below sound crazy or could it be ?
Since I've got the database corrupted somehow, I was thinking if I can de-install the Domain Controller from the server, then re-install the DC again with the good files and then try to restore the server with the backup.bak I've got.
Pancho
-
2012年6月13日 21:44
hi,
If database corrupted, kindly do restore from System state backup otherwise u have to do demote and promote again. Just we came across this scenario.
This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
-
2012年6月13日 21:49Hi Yan li,, can i have your email address or contact number to discuss technical doubt. ?
This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
-
2012年6月14日 4:39版主
Hi,
>Hi Yan li,, can i have your email address or contact number to discuss technical doubt. ?
I would like suggest you post thread in the forums when you have issues, as there are many guys here could help.
If you want to get supportted from email or phone, please contanct email or phone support (not free).
Regards,
Yan Li
Yan Li
TechNet Community Support
-
2012年6月14日 6:53
Hello,
"So the last backup that I have is from 05/17/2011 over a year now. "
What kind of backup have you used, this is still not clear for me. System state backup or full server backup or some specific files only?
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
-
2012年6月14日 7:11版主
Is it a SBS server? With a year old backup it can't be used for the restoration of the AD & i'm afraid there is nothing can be done. Either, you go ahead & create everything from scratch or contact Microsoft support, if they can find any other way.
Awinish Vishwakarma - MVP - Directory Services
My Blog: awinish.wordpress.com Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
2012年6月14日 14:17
I did restore just the System State, so after I restarted the server... it couldn't logged on into Windows, because of the System Error:
Isass.exe - Directory Service cannot start. Error Status: 0xc00002e1. Please clik OK to shutdown this system and reboot into Directory Services Restore Mode, check the event log for more detailed information.
The errors that I found are listed above.
Pancho
-
2012年6月14日 14:21I'm sorry Yan Li, I do have the Isass.exe - System Error that doesn't let me log in Windows Server 2003.
Pancho
-
2012年6月14日 14:39
Hi Awinish,
This is a Windows Server 2003. So can you please explain to me what happens with the backup file after the tombstone lifetime is reached? or is it just that the Backup wizard can not accept backup files that old? Thanks
Pancho
-
2012年6月14日 14:45
Hi
Please use below link for explanation on Tombstone and restoration
http://windocuments.net/activedirectorydisasterrecovery.html
Hope it helps __________________________ Best regards Sarang Tinguria MCP, MCSA, MCTS Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
-
2012年6月14日 14:51版主
TSL is the Tombstone lifetime period in days for which deleted object such as users/computers/groups etc. will exists in the AD database before they are finally wiped. You can only restore a deleted objects in the AD, if its within the TSL period. In short TSL is the period for which object will be permanently deleted from the AD database & once its been deleted it can't be restored by any backup or tool.
If you attempt to restore a backup which is older or passed TSL period then there will severe inconsistency to the AD database & environment both.
http://msmvps.com/blogs/ulfbsimonweidner/archive/2010/02/10/adjusting-the-tombstone-lifetime.aspx
Awinish Vishwakarma - MVP - Directory Services
My Blog: awinish.wordpress.com Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
2012年6月14日 22:09
I get this now, thank you guys!
So I don't have any other good option but to uninstall the Domain Controller from the server and then re-Install it (so the Active Directory files are new and in a good shape) and configure the entire network again... or do you think I could do something else?
what do you recommend me to do?
Pancho
-
2012年6月15日 9:05版主
Without backup, nothing can be done, but the backup you have can't be used as it is older than TSL period. Its convenient to start from the fresh & now manage it properly. Below link contains references where you can get more information of the DS & its management.
http://awinish.wordpress.com/2011/07/02/adgpoguides/
Awinish Vishwakarma - MVP - Directory Services
My Blog: awinish.wordpress.com Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.- 已建议为答案 Meinolf WeberMVP 2012年6月15日 9:32
- 已标记为答案 pan_gar 2012年6月18日 13:47
-
2012年6月18日 13:51
Thanks guys, I will start from the fresh now. You have to do, what you have to do... right! Hope you have great time!
Pancho
.png)
.png){kind=spacer}
