nsdsutil can't find database?

B

banana

Whenever I boot-up my Windows 2000 SP2 server (& PDC and Exchange Server) I
get a pop-up error

"lsass.exe - System Error
"Directory Services could not start because of the following error: The
system cannot find the file specified. Error Status=0xc000000F. Please click
OK to shutdown this system and reboot into Directory Service Restore Mode,
check the event log for more detailed information"

I then boot into DS Repair Mode and look at EventLog->Directory Service I get
2 errors. The first error is
Source: NTDS General. ID: 1168 ("Error -1811(fffff8ed( has occurred (Internal
ID 4042b). Please contact Microsoft Product Support for assistance"

The 2nd one is:
Source: NTDS General. ID: 1003 ("The Windows Directory Service database could
not be initialized and returned error -1811. Unrecoverable erro, the
directory can't continue"

Also, starting ntdsutil from the start->run as recommended in notes on the MS
KnowledgeBase in order to effect a recovery. Whenever I type "files" or
"semantic database analysis" into ntdsutil I get the error "Operation only
allowed when booted in DS Repair mode - set SAFEBOOT_OPTION=DSREPAIR to
override - NOT RECOMENEDED!".

As I'm sure I'm in DS Repair Mode I fire up a command prompt and set this env
and start ntdsutil and type "semantic database analysis" followed by "go" and
in response get

"Opening database [Current]. *** Error: DBInitializeJetDatabase failed with
[system database not found]."

I have in my C:\WINNT\ntds directory the files:
edb.chk
edb.log
ntds.dit
temp.edb


Can anyone tell me how to progress this issue please. Many thanks.
 
B

banana

As another clue if I go into ntdsutil and file "files" then "recover" the
following appears:

**** Error: 0x3 (The system cannot find the path specified.) finding first
match of "d:\WINNT\NTDS\*"
"Executing command: c\winnt\system32\esentutl.exe /r /8 /o /l"d:\WINNT\NTDS"
/s"C:\WINNT\NTDS" /!10240

"Inititating RECOVERY mode...
Log files: d:\WINNT\NTDS
System Files: C:\WINNT\NTDS

"Performing soft recovery...Operation terminated with error -1811
(JET_errFileNotFound. File not found) after 0.235 seibds,"

If I then exit ntdsutil and execute
c\winnt\system32\esentutl.exe /r /8 /o /l"c:\WINNT\NTDS" /s"C:\WINNT\NTDS" /!
10240

Then the recovery process works. However I still can't reboot normally
without the error in the post above.

Also I cannot access my D:\ drive whilst in this DS Restore Mode.
 
J

Jorge Silva

Hi

It seems Database corruption.


Some possible solutions:


*Solution1:

Perform restore operation to resolve the issue with your lastest Systate
BACKUPS.



*Solution 2:
In case this is not the only DC in the domain, you can simply rebuild it.
At the same time, you will need to perform the steps below before
re-promoting the server:

1. Seize FSMO roles to the existing DC in the domain. For the detailed
steps, you can refer to the following Microsoft Knowledge Base article:

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
http://support.microsoft.com/?id=255504

2. Remove remnant entries of the corrupted DC from AD database.

How to remove data in Active Directory after an unsuccessful domain
controller demotion
http://support.microsoft.com/?id=216498

3. Then, you can re-promote the server



*Solution 3:

If this is the only DC, you can use ntdsutil.exe to repair AD database
ntds.dit. However it might not completely resolve the issue. In some
situation, certain configurations will be lost.

"Directory Services cannot start" error message when you start your
Windows-based or SBS-based domain controller
http://support.microsoft.com/?id=258062

How to complete a semantic database analysis for the Active Directory
database by using Ntdsutil.exe
http://support.microsoft.com/default.aspx?scid=kb;en-us;315136

Additional Information
Exchange Server 2003 Disaster Recovery Operations Guide

http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/disrecopgde.mspx

Disaster Recovery Tips and Tricks

http://www.petri.co.il/disaster_recovery.htm
Windows 2003 Disaster Recovery Best Practices for the MCSE
http://www.mcpmag.com/features/article.asp?EditorialsID=452

*Solution 3:

You may try the following steps to recover the corrupted Active Directory,
but I cannot guarantee the outcome.

1. Reboot the server and press F8. Choose Directory Services Restore Mode
from the Menu.
2. Check the physical location of the Winnt\NTDS\ folder.
3. Check the permissions on the \Winnt\NTDS folder.



The default permissions are:

Administrators - Full Control
System - Full Control

4. Check the Winnt\Sysvol\Sysvol folder to make sure it is shared.
5. Check the permissions on the Winnt\Sysvol\Sysvol share.



The default permissions are:

Share Permissions:
Administrators - Full Control
Authenticated Users - Full Control
Everyone - Read

NTFS Permissions:
Administrators - Full Control
Authenticated Users - Read & Execute, List Folder Contents, Read
Creator Owner - none
Server Operators - Read & Execute, List Folder Contents, Read
System - Full Control

Note: You may not be able to change the permissions on these folders if the
Active Directory database is unavailable because it is damaged, however it
is best to know if the permissions are set correctly before you start the
recovery process, as it may not be the database that is the problem.

6. Make sure there is a folder in the Sysvol share labeled with the correct
name for their domain.
7. Open a command prompt and run NTDSUTIL to verify the paths for the
NTDS.dit file. These should match the physical structure from Step 2

To check the file paths type the following commands:

NTDSUTIL <enter>
Files <enter>
Info <enter>

The output should look similar to:

Drive Information:

C:\ NTFS (Fixed Drive) free (2.9 Gb) total (3.9 Gb)
D:\ NTFS (Fixed Drive) free (3.6 Gb) total (3.9 Gb)

DS Path Information:

Database : C:\WINNT\NTDS\ntds.dit - 10.1 Mb
Backup dir: C:\WINNT\NTDS\dsadata.bak
Working dir: C:\WINNT\NTDS
Log dir : C:\WINNT\NTDS - 30.0 Mb total
res2.log - 10.0 Mb
res1.log - 10.0 Mb
edb.log - 10.0 Mb

This information is pulled directly from the registry and mismatched paths
will cause Active Directory not to start. Type Quit to end the NTDSUTIL
session.

8. Rename the edb.chk file and try to boot to Normal mode. If that fails,
proceed with the next steps.

9. Reboot into Directory Services Restore mode again. At the command prompt,
use the ESENTUTL to check the integrity of the database.
NOTE: You can use NTDSUTIL to check the Integrity, however esentutl is
usually more reliable.

Type the following command:
ESENTUTL /g "<path>\NTDS.dit" /!10240 /8 /v /x /o <enter>
(Note: Type the path without the quotes).

Note: The default path would be C:\Winnt\NTDS\ntds.dit; however it may be
different in some cases.

The output will tell you if the database is inconsistent and may produce a
jet_error 1206 stating that the database is corrupt. If the database is
inconsistent or corrupt it will need to be recovered or repaired . To
recover the database type the following at the command prompt:

NTDSUTIL <enter>
Files<enter>
Recover <enter>

If this fails with an error, type quit until back at the command prompt and
repair the database using ESENTUTL by typing the following:

ESENTUTL /p "<path>\NTDS.dit" /!10240 /8 /v /x /o <enter>
(Note: Type the path without the quotes).

Note: If you do not put the switches at the end of the command you will
most likely get a Jet_error 1213 "Page size mismatch" error.

10. Delete the log files in the NTDS directory, but do not delete or move
the ntds.dit file.
11. The NTDSUTIL tool needs to be run again to check the Integrity of the
database and to perform a Semantic Database analysis.

To check the integrity, at the command prompt type:

NTDSUTIL <enter>
Files <enter>
Integrity <enter>

The output should tell you that the integrity check completed successfully
and prompt that you should perform a Semantic Database Analysis.

Type quit.

To perform the Semantic Database Analysis type the following at the NTDSUTIL
Prompt type:

Semantic Database Analysis <enter>
Go <enter>

The output will tell you that the Analysis completed successfully.
Type quit and closes the command prompt.

NOTE: If you get errors running the Analysis then type the following at the
semantic checker prompt:

semantic checker: go fix <enter>

This puts the checker in Fixup mode, which should fix whatever errors there
were.

12. Reboot the server to Normal Mode.

If any of these steps fail to recover the database the only alternative is
to perform an Authoritative System State restore from backup in Directory
Services Restore mode.

For more information, please refer to the following articles:

315136 HOW TO: Complete a Semantic Database Analysis for the Active
Directory
http://support.microsoft.com/?id=315136

265706 DCDiag and NetDiag in Windows 2000 Facilitate Domain Join and DC
Creation
http://support.microsoft.com/?id=265706

258007 Error Message: Lsass.exe - System Error : Security Accounts Manager
http://support.microsoft.com/?id=258007

265089 Event 1168: Windows 2000 DCs Unable to Boot into Active Directory
http://support.microsoft.com/?id=265089

315131 HOW TO: Use Ntdsutil to Manage Active Directory Files from the
Command
http://support.microsoft.com/?id=315131

I hope the above information helps.


--
I hop that helps

Good Luck
Jorge Silva
MCSA
Systems Administrator
 
S

shafi

Hi

This seems that your AD Database is corrupted. Active Directory
will not starts if its Database is corrupted. For this reboot your
server in DSRM and perform authoritative restore using NTDSUTIL if you
have taken successfull full file backup of NTDS.DIT earlier. Otherwise
you can copy and paste NTDS.DIT in its orginal location so the old
corrupded database will be overwritten.

If possible delete all the log files inside the NTDS folder after
restoring NTDS.DIT. Reboot your server in normal mode. I am 99.9% sure
that it will works!!!

Otherwise you follow disaster recovery procedures to rebuid your
DC.

Thanks & Regards
Shafi.H
 
S

shafi

shafi said:
*Hi

This seems that your AD Database is corrupted. Active Directory
will not starts if its Database is corrupted. For this reboot your
server in DSRM and perform authoritative restore using NTDSUTIL if
you have taken successfull full file backup of NTDS.DIT earlier.
Otherwise you can copy and paste NTDS.DIT in its orginal location so
the old corrupted database will be overwritten.

If possible delete all the log files inside the NTDS folder after
restoring NTDS.DIT. Reboot your server in normal mode. I am 99.9%
sure that it will works!!!

Otherwise you follow disaster recovery procedures to rebuid your
DC.

Thanks & Regards
Shafi.H *
 
J

Jorge de Almeida Pinto [MVP]

if the database is screwed for some reason and you still have other DCs in
the domain (even if you don't) you should do a NON-AUTHORITATIVE RESTORE
using a valid and backup/restore mechanism/tool

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
 
B

banana via WinServerKB.com

OK I don't have a backup and I don't have other DCs in the domain.

Is the best option to (as one contributor wrote) "copy and paste NTDS.DIT in
its orginal location". What does this mean? Find another NTDS.DIT file from
somewhere?

As the file is a Jet database - should i use the repair facility offered by
ntdsutil?

I'll also have a read of the Knowledge Base articles in the first reply. The
DC contains an exchange server which I want to get back - could that be lost
by AD recovery (or maybe non-recovery).

Finally what configuration is in AD that I might lose?

Thanks
 
S

shafi

Jorge said:
if the database is screwed for some reason and you still have
other DCs in
the domain (even if you don't) you should do a NON-AUTHORITATIVE
RESTORE
using a valid and backup/restore mechanism/tool

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

-----------------------------------------------------------

Yes you are correct!! If you have a valid backup means there is a
option for non authoritative restore and i mean that copy your recent
backuped NTDS.DIT file and place it from its orginal location of same
server.

If you had not taken a valid system state backup means there is no
option for RESTORE!!!
There is only one option to REBUILD your DC.

Cheers
Shafi.H
 
J

Jorge de Almeida Pinto [MVP]

copy the NTDS.DIT file from a backup???

the supported way is to restore the BACKUP (system state at least).

don't copy the NTDS.DIT file as will not work as it should!

either you have other DCs OR you have a backup for that DC. If you don't
have either.... then you are in trouble and need to rebuild

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
shafi said:
if the database is screwed for some reason and you still have
other DCs in
the domain (even if you don't) you should do a NON-AUTHORITATIVE
RESTORE
using a valid and backup/restore mechanism/tool

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

-----------------------------------------------------------

Yes you are correct!! If you have a valid backup means there is a
option for non authoritative restore and i mean that copy your recent
backuped NTDS.DIT file and place it from its orginal location of same
server.

If you had not taken a valid system state backup means there is no
option for RESTORE!!!
There is only one option to REBUILD your DC.

Cheers
Shafi.H

 
J

Jorge Silva

Hi

Did you tryed to follow the Solution 3 that I gave you?

--
I hop that helps

Good Luck
Jorge Silva
MCSA
Systems Administrator
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top