July 20, 2008 01:48am pdt

1. TechSoEasy 810,807
2. RobWill 522,996
3. KCTS 206,396
4. Sembee 150,261
5. leew 138,265
6. tigermatt 127,901
7. kieran_b 126,467
8. Dave_AND 119,003
9. suppsaws 114,536
10. plug1 102,898
11. mwecompu... 94,230
12. olafdc 83,902
13. ormerodr... 81,017
14. DrDave242 75,633
15. MrManderson 72,155

1. TechSoEasy 6,202,796
2. Sembee 805,093
3. RobWill 731,686
4. olafdc 547,867
5. leew 511,131
6. KCTS 452,151
7. suppsaws 301,901
8. redseate... 251,224
9. tigermatt 228,449
10. vico1 210,195
11. Dave_AND 203,118
12. MPECSInc 170,829
13. MrManderson 170,663
14. keith_al... 169,586
15. ormerodr... 164,197

08.19.2006 at 09:48AM PDT, ID: 21960285

	[x] Attachment Details

Windows 2003 SBS and Corrupt Active Directory

Asked by jhieb in SBS Small Business Server

Tags: directory, 2003, active, sbs, windows

Hello,

I have a second domain controller which failed for some reason. When I first looked at it the system looks like my RAID failed. I powered down the system and brought it back up and the RAID looks like it is working. Windows 2003 ran chkdsk on the drives, corrected some files, and did whatever to mess up my system as it tried to recover. Then, it rebooted and gave the following error:

"Security Accounts Manager Initialization failed because of the following Error: Directory Service cannot start Error Status 0xc00002e1. Please click OK to shutdown this sytsem and reboot into Directory Services Restore Mode, check the event log for more detailed information.

I tried to reboot into Directory Services Restore Mode and referred to the following MS article:
http://support.microsoft.com/kb/258062/en-us

But the system won't accept my password. So, I referred to the following article:
http://support.microsoft.com/kb/249321/

But I don't know if I should work through it because I don't believe my boot letter has changed, or I need more info.

I tried to use the Last Known Good (has anyone ever liked this one?) but I still get the same error.

Right now, my logon screen has a "Please Wait" box saying: The Active Directory is rebuilding indices... Please wait.

At the same time, I have another Windows Error Dialog box displaying the first error I mentioned above. If I click OK then the sytem reboots and comes right back to where it is now. Should I wait for the other message to finishe that says to "Please wait...?" I've searched on "Active directory is rebuilding indices" on the Internet and it looks like this might stay there forever telling me to wait.

What should I do? I would like to run the repair but I cannot use my Administrator password to even run the ntdsutil referred to in the first technet article.

Thanks,
JohnStart Free Trial

Keywords: Windows 2003 SBS and Corrupt A…

	Title
1	Sbs 2003 and Raid
2	Corrupt NTFS volume after RAID rebuil…
3	Recovering from disk corruption on Rai…
4	The file or directory C: is corrupt and …
5	File system corruption on RAID 5 Arra…
6	Chkdsk corrupted my RAID array

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
Automotive
New Net Users
New Users

Software
Digital Music
Gaming World
Home Security

Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Displays / Monitors
Handhelds / PDAs
Components
Peripherals
Laptops/Notebooks

Servers
Misc
Apple
Embedded Hardware
Networking Hardware

Storage
Desktops
New Users

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMware
Misc
Web Development

OS
CYGWIN
Voice Recognition
Virtualization
Message Queue
Quality Assurance
Security
Firewalls

MultiMedia Applications
Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals
Devices

Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
Web Computing
WebApplications
IDS
Vulnerabilities
Email Clients
File Sharing

Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Consulting
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMware

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel
Automation

Algorithms
Game
Signal Processing
Project Management
Open Source
Database

Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Web Services

Images
Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration

WebApplications
Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Web Computing

Broadband
Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Lounge
Business Travel
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles
Automotive

Community Support

Suggestions
New to EE
New Topics
CleanUp

Announcements
General
Feedback

Input
EE Bugs

08.19.2006 at 10:45AM PDT, ID: 17348503

jhieb:

I've looked at the following article and it looks like it will help but I just can't logon to my hosed server with my Admin password. How do I get around this?

http://www.experts-exchange.com/Operating_Systems/Q_21467649.html

I can Net Use to the hosed server. Is it possible that I can manually replace my SAMS database? such as copy it from my good server? I don't have a backup of the hosed server. I just got it up and running.

From my good server can I demote the hosed one and then rebuild the SAMS database on it? Btw, the hosed server is a 2003 SBS server so it contains the roles.

Please advise.
Thanks,

08.19.2006 at 10:46AM PDT, ID: 17348513

oBdA:

The password the system is looking for is the Active Directory Services Restore Mode password; you've defined this during dcpromo (and probably never changed it, as this requires ntdsutil).
How To Reset the Directory Services Restore Mode Administrator Account Password in Windows Server 2003
http://support.microsoft.com/?kbid=322672

08.19.2006 at 10:55AM PDT, ID: 17348552

jhieb:

Hi oBda,

Thanks. I restarted the server and it is at the system error/logon screen. Then, from my other server I typed in the following because of a previous technet article:

net use \\remote_machine_name\IPC$ /user:administrator *

Then, I followed the instructions on resetting the password via the article you sent me and got the following:

C:\>ntdsutil
ntdsutil: set dsrm password
Reset DSRM Administrator Password: reset password on server plato
Please type password for DS Restore Mode Administrator Account: *********
Please confirm new password: *********
Setting password failed.
WIN32 Error Code: 0x6ba
Error Message: The RPC server is unavailable.

08.19.2006 at 11:03AM PDT, ID: 17348587

jhieb:

My hosed server is the Operations Master for RID and PDC. I cannot changed the master since it is offline. I would have kept this server the Operations Master but the other one is SBS 2003. It started shutting down unless I made it the master.

08.19.2006 at 11:10AM PDT, ID: 17348617

jhieb:

Fyi, I started the RPC service on the good server and tried again. Same results. I cannot "Manage" the other server but I can get to it via Net use...

08.19.2006 at 11:20AM PDT, ID: 17348650

jhieb:

What do you think about the following article?
http://www.windowsitpro.com/Article/ArticleID/21590/21590.html?Ad=1

When it says to copy the SAM, what direction is it talking about? Is this non-relavent to the topic?

08.19.2006 at 11:41AM PDT, ID: 17348728

jhieb:

While in repair mode logon I can browse to the SBS computer and look at the files. When I look at the following location I notice that it is empty: \\Plato\c$\WINDOWS\Config

However, there are files in the \Windows\Config folder; however, they look like they haven't changed since I installed the server.

Can I manually copy my SAMS database to the other server? Can I reinstall over the existing server and keep everything else I've installed functional?

OK. If I cannot repair the SBS server then how do I force my other server then to become the Operations master if I cannot force it from the SBS server? If I cannot repair the SBS server then I need to at least make my good server stable.

Please point me in a possible solution. I'll try to work on this on my own and open up a new question if I need to, and if the risk is too much.

Thanks,

08.19.2006 at 12:05PM PDT, ID: 17348809

jhieb:

One more bit of info. I used a free password viewing tool and it looks like I am using the correct password. The free tool only shows me one letter but it also gives me the letter count. This must be the password I know should work. But, for some reason the Directory Services Restore Mode doesn't like the password that should work.

08.19.2006 at 12:09PM PDT, ID: 17348821

oBdA:

The article above is basically for Windows 2000; it's non-relevant if you can't login anyway.
So I assume you don't have a backup of this server?
That leaves you with two options. Since you can still access the old server, first backup all important files still on there. Make a backup of the running DC as well.
Then you can try a repait installation of your SBS.
As a last resort, you have the brute-force method.
Shut down the SBS. Make the other DC a global catalog, seize the FSMO roles, clean out the AD from the SBS.
Make sure your AD is still functioning (dcdiag.exe / netdiag.exe), then reinstall SBS into your domain.

How to install Small Business Server 2003 in an existing Active Directory domain
http://support.microsoft.com/?kbid=884453

How to promote a domain controller to a global catalog server
http://support.microsoft.com/?kbid=296882

How To View and Transfer FSMO Roles in Windows Server 2003
http://support.microsoft.com/?kbid=324801

How to remove data in Active Directory after an unsuccessful domain controller demotion
http://support.microsoft.com/?kbid=216498

Accepted Solution

08.19.2006 at 12:44PM PDT, ID: 17348931

jhieb:

No, I don't have a backup of the server... yet. I just spent all week setting it up and getting it fully functional with my support apps. I should have known better than to leave the office last night without backing it up. That was my next step. Argh!

Well, I left the office and will work on this on Monday. If all else fails, it would be a good thing if I could make my functional server the master again. This really sucks. I thought Microsoft said that you don't have PDC's and BDC's anymore. What the heck is an operational master if not a PDC? ARgh! Anyway... I think I am going to go stick my head in the mud for awhile and get back to work when I've gotten over this.

Btw, how would you recommend a backup of this server? I can't log into it so I guess I can do an Image of it with Ghost or something...

08.19.2006 at 12:52PM PDT, ID: 17348949

oBdA:

A BDC held a read-only copy of the account database; for any change, the PDC had to be online. In an AD domain, any DC can accept changes.
You probably won't be able to make a regular backup of the SBS anymore, but since you can still map its drives, you can backup any important files that might be on there. With the backup of the "running" DC, I was referring to your second DC.

08.19.2006 at 12:55PM PDT, ID: 17348960

jhieb:

Hi oBdA,

First article: may not help in this situation unless I reinstall the server from scratch.
Second article: Both servers contain the global catalog so my working server has a copy of the catalog.
Third article: I cannot change the FSMO roles even though the server is running.
Fourth article: I don't know if it applies here.

When you mean that I should run a repair on the SBS server are you referring to starting the server with the installation CD and repairing that way?

Thank you,
John

08.19.2006 at 01:03PM PDT, ID: 17348976

jhieb:

FYI

Here is something Odd. When I look at Active Directory Users and Computers then it tells me that the Operation Master is ERROR and that I cannot transfer. However, if I use the MMC plug-in it shows my working server as the Operation Master.

Last week, my SBS server started turning itself off becasue it had to be the Operations master so I transfered the RID and PDC roles from the good server, Luther, to the bad server, Plato. Besides making sure both servers contained the global catalog I didn't transfer any other role.

08.19.2006 at 01:06PM PDT, ID: 17348984

oBdA:

Yes, those articles were meant for the "brute force" approach.
As for the third article, I picked the wrong one, sorry; to seize the roles (only do that if you decide to retire the SBS!), use this one:
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
http://support.microsoft.com/?kbid=255504
The fourth article applies if you decide to shut down the SBS and reinstall.

Assisted Solution

08.19.2006 at 01:13PM PDT, ID: 17348995

jhieb:

Thank you. So, it sounds like my two approaches are to:

1. First, attempt to repair the SBS server by backing it up and then reinstall SBS server and selecting the repair option. If this doesn't work then go to step 2.

2. Force sieze FSMO roles on the new server and count my losses. Start from scratch :-)

Does this sound like the choices I am left with?

Thanks,
John

08.19.2006 at 01:18PM PDT, ID: 17349014

oBdA:

That's all I can think of at the moment; don't forget to backup your "good" DC before starting with anything, just in case the repair decides to eradicate your AD ...

Assisted Solution

08.19.2006 at 01:23PM PDT, ID: 17349021

jhieb:

Thanks. My good DC has so much stuff on it that the risk of the repair hosing AD might not be worth it. I think my best bet is to somehow sieze the FSMO roles and start the other server from scratch. I can still back it up and get the raw data off of it. That will help a little bit. This taught me a lesson. Whether you have time or not you must always keep a current backup!!!!!!!!!!!!!!!

I'll definitely have to finish this on Monday so I'll let you know what happens.

Have a great weekend and double-thanks!

John

08.20.2006 at 03:13AM PDT, ID: 17350928

TechSoEasy:

Your SBS must hold ALL FSMO roles... and it sounds like you didn't really deploy it correctly to begin with. You cannot merely add an SBS to an existing network. There is a way to join an existing domain, but it's not a recommended migration path. (http://support.microsoft.com/kb/884453)

I'd suggest that you at the very least follow that KB article, but even better would be to learn a bit more about SBS before you actually deploy it again.

see: http://sbsurl.com/itpro

http://sbsurl.com/techguide

Jeff
TechSoEasy

Assisted Solution

08.20.2006 at 03:15AM PDT, ID: 17350932

TechSoEasy:

Moved to SBS Small Business Server TA

TechSoEasy -- EE Page Editor

08.21.2006 at 01:18PM PDT, ID: 17358917

jhieb:

For some reason, my SBS server still won't accept the correct password. Even in recovery mode it doesn't like the password so I can't continue. This is wierd. I've verified the correct password using a linux password tool but the SBS server doesn't like the password. So, I'm unable to continue a repair on the server.

I've siezed PDC and RID roles onto the working server so I have that taken care of. It looks like I will have to start the SBS server from scratch. The article listed that helped with a "siezure" is:
http://support.microsoft.com/?kbid=255504

08.21.2006 at 01:22PM PDT, ID: 17358932

TechSoEasy:

At this point I'd suggest that you start migrating from scratch as well if you can safely remove the SBS from the network and are sure that your AD is in good shape on your other DC.

If this is the case, then you should determine the best method for migrating to SBS before reinstalling it.

Jeff
TechSoEasy

08.21.2006 at 01:28PM PDT, ID: 17358984

jhieb:

Thanks Jeff.

20080716-EE-VQP-32

Windows 2003 SBS and Corrupt Active Directory

Asked by jhieb in SBS Small Business Server

Tags: directory, 2003, active, sbs, windows

About this solution