Corrupt Active Directory User

[Marc Michaels]

A strange problem occurred today. I'll try to provide as much detail
as I can.

On entering AD Users and Computers we receive the following error:
Data from Users is not available from Domain Controller

AD Users and Computers then opens, but the Users folder is "empty".
If we right click the users container and select "refresh" we receive
the same error.

All other containers work fine.

In ADSI edit, the CN=Users folder is also "empty". When we try to
access it, we get the error: One or more input parameters are invalid.

In ADSI edit, I was able to add a new query. I used criteria like
this:
(&(objectCategory=user)(userPrincipalName=a*))

The query worked fine for all of my accounts with userPrincipalName
starting with "a".

I ran through every letter of the alphabet and all of them worked
except for "g". where I received the error: One or more input
parameters are invalid.

I was then able to deduce the SPECIFIC account that was causing the
error. Indeed it is only one account. Something is corrupt with it.
However, I can't access it to check it's parameters or even delete the
user account outright.

I can further back this up by entering Microsoft Exchange 5.5 ESM
recipients container. All recipients' properties show up fine except
for the account in question. When I double click the specific user's
exchange account, I get the error: Unable to contact the global
catalog server.

In summary, it looks like I'll be able to fix my "empty users
container" problem by removing this user. Can anyone make any
recommendations as to how I should proceed?

 

[Cary Shultz [A.D. MVP]]

Marc,

This is the default USERS container, not an OU that you have created,
correct?

And, the standard question - what is going on with DNS? To what DNS Server
do all of your clients ( and DCs are clients as well ) point?

This happens when you are logged on directly to the DC ( meaning, sitting
right in front of it physically ) and opening the ADUC MMC from there? What
happens if you try this from a WIN2000 Workstation that has the ADMINPAK
installed? Does this happen when logged on directly to any other DC? Do
you have TS in Remote Admin Mode installed? What if you do that?

Are there any EventIDs in the log files?

Cary

 

[Marc Michaels]

Shew...fixed it. Details of my tribulation follow for the benefit of
others:

1) Rebooted server in DS Repair mode
NTDSUtil
2) Tried authoritative restore of defective account - failed
3) Integrity check - runs through, finds errors with database
4) Recover database - failed
5) Repair database (uh oh) - failed
--at this point nothing runs....
6) Integrity check - fails...doesn't run

reboot server
7) Directory Service fails to start.
8) System forces me to reboot and recommends I go into repair mode to
fix the problem (now we're in serious trouble).
9) Server boots into DS repair mode.

NTDSUtil
10) Attempt authoritative restore of database - failed

ESENTUTL - THIS WAS THE KEY TO FIXING IT
11) at the command prompt, we ran: esentutl /p
"c:\winnt\ntds\ntds.dit" /!10240 /8 /v /x /o
12) Esentutl completes successfully
13) Removed all ntds log files

NTDSUtil
13) Database integrity check successful
14) Removed ntds log files created by integrity check

15) Rebooted server
16) All systems back online. Corrupt AD account is now gone.