Corrupt DC

[Henrik Johansson]

After a power failure the partition with NTDSlogs directory was corrupt for
a DC.
After fixing a new partition for that we runned ntdsutil and as we can see
everything looks ok (auth restore/recover/integrity-commands return
errorcode=0), but when rebooting into normal state it ends up with popup
about that lsass could not start->ok=reboot.
Have tried to copied NTDS-database/logs from another DC (same domain) with
same result.
Maybe some command in ntdsutil we missed, but I cannot find what it could
be.

Any idea about what to do?

Cannot run dcpromo to demote it from DC when booting into AD restore mode.
Is it possibly to force a server out of its "DC-believing" another way and
by that way re-promote it as DC?

 

[Guest]

Henrik,

This is not an easy process if it's the first time you've done it. First,
you need to do a metadata cleanup on a functional DC, preferably the PDC
emulator. See KB article 216498. This takes all the information about the
corrupt DC out of AD.

Next step is to boot the corrupt DC into AD Restore mode, and change the
value at

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions\ProductType

from LanmanNT to ServerNT. Now the DC thinks it's a member server and will
boot into windows normally. At this point the machine thinks it's a member
server but it's still carrying all the backage from being a DC, the sysvol,
netlogon, etc. Disjoin the machine from your domain, DCPromo it up to a dummy
domain, such as mydomain.com, just make sure this has nothing to do with your
current domain, demote it gracefully and it will clear out the sysvol,
netlogon, etc. Now rejoin it to your domain as a member server and DCPromo it
back into your current domain.

Sounds like fun, doesn't it?

 

[Henrik Johansson]

Thanks for the info.
I try that out later.
/Henrik