AD Disaster Recovery - ntdsutil permission denied

[Guest]

We have had massive crash of the HDD on our DC. there are no other DC's left
in the domain. We have gone through the disaster recovery options of
restoring the system state from backup, f8 for AD recovery mode. when we try
to run ntdsutil recover database we get a jetdbinitializefailure (or
something similiar) permission denied error (. I have checked permission of
the ntds folder, systemroot and root for Administrator and System).

Any help appreciated. Will save us hours in building a new AD.
TIA

 

[Jorge_de_Almeida_Pinto]

We have had massive crash of the HDD on our DC. there are no
other DC's left
in the domain. We have gone through the disaster recovery
options of
restoring the system state from backup, f8 for AD recovery
mode. when we try
to run ntdsutil recover database we get a
jetdbinitializefailure (or
something similiar) permission denied error (. I have checked
permission of
the ntds folder, systemroot and root for Administrator and
System).

Any help appreciated. Will save us hours in building a new AD.
TIA

if you have a backup of the DC, why not just restore the system disk
and the system state? That should do it

 

[Guest]

Restore crashes when restoring the resgistry hives

 

[nitin]

We have had massive crash of the HDD on our DC. there are no
other DC's left
in the domain. We have gone through the disaster recovery
options of
restoring the system state from backup, f8 for AD recovery
mode. when we try
to run ntdsutil recover database we get a
jetdbinitializefailure (or
something similiar) permission denied error (. I have checked
permission of
the ntds folder, systemroot and root for Administrator and
System).

Any help appreciated. Will save us hours in building a new AD.
TIA

Hi

I would suggest you to go ahead and repromote your DC as the previous
domain
make sure if you want to restore the backup of the previous domain
then you should have the same configuration of the DC as the previous
DC
like same domain name
same partition space
same drivers of other Devices

and then restore the system state backup of the domain

and it will work for you

 

[Guest]

nitin,

I've restored the crashed DC from backup, however, administrator account is
the only allowed account to logon. I restored the C;\ drive and system state.
All operation master roles and GC are enabled on that machine. In AD console
I can see all the restored accounts but can't use any to login. Any idea? The
steps I follwed to restore are:

1. install server 2003
2. run ntbackup to restore C:\ and system state
3. emodify 'BurFlags' registry key since the restoration is done on
different hardware.
4. reboot
5. Try to login to the restored domain using any domain account (fail).
Login using administrator account will be accepted
7.seize operation master roles
8. verify GC
9. Verify AD console accounts

Is there any other steps I'm missing?! Help please

 

[nitin]

nitin,

I've restored the crashed DC from backup, however,
administrator account is
the only allowed account to logon. I restored the C; drive
and system state.
All operation master roles and GC are enabled on that machine.
In AD console
I can see all the restored accounts but can't use any to
login. Any idea? The
steps I follwed to restore are:

1. install server 2003
2. run ntbackup to restore C: and system state
3. emodify 'BurFlags' registry key since the restoration is
done on
different hardware.
4. reboot
5. Try to login to the restored domain using any domain
account (fail).
Login using administrator account will be accepted
7.seize operation master roles
8. verify GC
9. Verify AD console accounts

Is there any other steps I'm missing?! Help please

Hi,

First, by default no body is allowed to logon to the DC.

and if you want to allow others to logon to the DC
then follow these steps


click on start--> click on Run

type dsa.msc

do a right click on the domain controllers on the left side

click on properties
click on group policy tab,

select default domain controllers policy,
click on edit

expand computer confuiguration
expand windows settings
expand security settings
expand local policies
click on user rights assignment

and then on the right side
locate "Allow logon locally"
and then add those users whome you want to give rights to logon
locally on the domain controller


reboot the domain controller

and then see if others can logon to the domain controller or not