?
Solved

AD ON SERV 2003

Posted on 2005-04-13
8
Medium Priority
?
287 Views
Last Modified: 2010-04-10
Hi There

AD has bombed out on my DC, the error i get is.

There is an internal error in AD, the system cannot recover from this error

Please use AD restore mode to correct the problem.

PLEASE HELP, WHAT STEPS CAN I TAKE WITH HAVING TO GO TO ANY EXTREME'S

THANKS
0
Comment
Question by:hitechauto
  • 4
  • 2
  • 2
8 Comments
 

Author Comment

by:hitechauto
ID: 13779248
CAN I DO A SYSTEM STATE BACKUP ON OUR 2ND DC AND RESTORE ON OUR GOBAL CATALOG??????

HAVING TROUBLE ACCESSING THE BACKUP DRIVE ON THE DC THAT AD HAS CRASHED ON.  

IS THERE ANY SORT OF COMMAND LINE THAT I CAN USE IN DIRECTORY SERVICES RESTORE MODE TO CHECK AND REPAIR THE PROBLEM.

PLEASE GUYS THIS IS VERY URGENT, I HAVE 80 CLIENTS THAT NEED TO GET THERE DATA
0
 
LVL 24

Expert Comment

by:purplepomegranite
ID: 13779343
Has the backup drive failed on the failed DC?  Were AD data files stored on this drive as well?

It sounds like the cause of the problem would be drive failure if that is what you have problems accessing - and this is the first thing that needs to be sorted.

Did you create an AD restore mode disk?  
0
 

Author Comment

by:hitechauto
ID: 13779357
Put it too you this way, i dont have a system state backup.

I can runt the dc in retore mode but not able to find a valid up to date backup.  so restoring from a backup is out of the question.

What steps should i take????
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
LVL 24

Expert Comment

by:purplepomegranite
ID: 13779500
Presumably the server is booting at the moment, but not starting Active Directory?  Or is it not letting you in at all?  If it won't let you in, can you start in Safe Mode to get access to the system?

If you have people after data that is on the system, the most important thing is to get this data off the system and onto another (e.g. another DC) so that they can access it while you go about repairing the failed DC.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13779584
> CAN I DO A SYSTEM STATE BACKUP ON OUR 2ND DC AND RESTORE ON OUR GOBAL CATALOG??????

If you have a second DC is it reporting the same errors?

If it's quite happy then it can take over and DC1 can (and should) be turned off.

1. Install DNS (or check it's installed) on DC2
2. Seize any FSMO roles DC2 doesn't have
3. Make it a Global Catalog
4. Run "ipconfig /flushdns" then "ipconfig /registerdns"
5. Restart the NetLogon Service

If you're running DHCP that will need reconfiguring to ensure the clients have the correct DNS Server.

These are the individual steps for each of those:

1. Installing DNS

 - If the DNS Service is not currently installed go to Add / Remove Programs and add it.
 - Ensure the service starts correctly
 - Open DNS Manager
 - Right click on Forward Lookup Zones and select "New Zone..."
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 13779622

oops... wrong button. Anyway, this lot is only any good if DC2 works.

continued...

 - Select Primary Active Directory Integrated
 - Give it the same name as your existing Domain Name

 - Right click on Reverse Lookup Zones and select "New Zone..."
 - Select Primary Active Directory Integrated
 - Give it the same name as your IP Range. e.g. 192.168.0.x

Actually this would be a good time to get everything registered in DNS.

Ensure the server points to itself for DNS. Then type these into the command prompt:

ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net start netlogon

2. Seizing the FSMO Roles

Before continuing with this section it has a disclaimer:

DO NOT seize the FSMO roles if you think DC1 will ever be back online without being reformatted and rebuilt.

Okay...

Start
Run
ntdsutil
Roles
Connections
Connect to Server DC2
Quit
Select Operation Target
List Roles for Connected Server

That shows us which server currently holds the roles. Any that aren't on DC2 need to be taken as follows:

<continuing from the prompt above>
Quit
Seize <role name>

If this is all of the roles then the commands are:

Seize PDC
Seize RID Master
Seize Schema Master
Seize Domain Naming Master
Seize Infrastructure Master

Quit
Quit <exits ntdsutil>

3. Make it a Global Catalog

Open AD Sites and Services and find DC2. Select the Properties for the NTDS Settings for the Server and select the Global Catalog tick box.

Then everything changes from the original list... which will teach me to accidently press submit...

4. Clean up references to the old server

This lot is quite well covered in this article:

http://www.petri.co.il/fix_unsuccessful_demotion.htm
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13779671

Okay... now onto the less likely solutions.

If you have any DCs with a System State backup that would help a lot.

To Restore the system state you need to get Directory Service mode available. To get that..

1. Install Windows 200x on a Server
2. Install the very basics of Active Directory - don't bother configuring it, it's about to be overwritten

Then these instructions can take over:

http://support.microsoft.com/default.aspx?scid=kb;en-us;240363&sd=tech

After this the steps above should be followed to make the restored DC hold the FSMO Roles, run DNS and behave as a Global Catalog, etc.

There are a few options for attempting to repair AD... but I need to check a few things before I post them.


If you don't have a backup of the server or another working domain controller then it gets very difficult.

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13779698

Next one is using the Integrity checker in NTDSUtil. Don't hold out a lot of hope for this one, it's intended that you only use it after preforming a recovery. Because of that, this one is a last resort and you should probably make a backup of the broken server before running it:

ntdsutil
files
integrity

This one might take a while to run. If none of that helps then I'll have a look around again.

Chris
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question