Windows 2000 Domain won't boot. Lsass.exe System Error

A clients windows 2000 sp4 domain controller has gone bad.  This is the only domain controller/global catalog etc. It is the entire domain. When I boot it I get the error:

"LSASS.EXE - System Error, security accounts manager initialization failed because of the following error: Directory Services cannot start. Error status 0xc00002e1. Please click OK to shutdown this system and reboot into directory services restore mode, check the event log for more detailed information."

I have read the knowledgebase on the error at http://support.microsoft.com/kb/258062/en-us .

But for some reason we cannot log into the DSRM.  It doesn't accept the password we had for administrator/DSRM password.  I have tried all passwords we have ever used.  Maybe the password hive is corrupt?  We have a Retrospect system state backup of the machine but I think that does me know good unless I can boot into the DSRM to finish the retrospect restore correct? I understand the steps to be:

1.) build windows 2000 server
2.) restore from backup
3.) on reboot after restore log into DSRM (and that's the problem we will have)

 We are lost here.  We need this server back up ASAP.

Is there a way to reset the DSRM password without logging into the domain controller? Or will the Retrospect backup be feasible enough for full active directory restore? Thanks for all your help!

asdsstaffAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jay_Jay70Commented:
Hi asdsstaff,

the DSRM password was what was specified during initial promotion

Cheers!
0
Jay_Jay70Commented:
0
asdsstaffAuthor Commented:
Jay:  yes i know.  but this was 2 years ago and either we don't have it.  or it is gone??  also the link you provided is for having access to actually login to the server itself.  i cannot boot it normally because of the domain corruption and I cannot login to DSRM.  so i'm really struggling.
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Rant32Commented:
The steps you need are actually a bit different:

1) Setup Windows 2000 with the same service packs
2) Promote to domain controller (then specify a known DSRM password)
3) boot into DSRM
4) Restore a full backup with system state
5) Change the DSRM password as per http://www.petri.co.il/change_recovery_console_password.htm method #1.
8) boot normally
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
asdsstaffAuthor Commented:
Rant:

I will be trying this is the next couple hours.  After step 4 I will use step 5 Method #1 immediatly before I reboot I assume?   And method #1 will reset the password on the restored data?  I would think that the registry would have to be flushed and reloaded for the possibility to do this.  
0
Rant32Commented:
Well, after stage 4) the domain controller should be able to boot normally. Then you can log on to the server and use 5) to reset the password, doesn't really matter because then you don't need DSRM anymore.

8) should be 6) of course ;-)
0
asdsstaffAuthor Commented:
Will try today.  Thanks Rant32
0
asdsstaffAuthor Commented:
Actually now that I'm thinking about it.  After a restore in the DSRM I don't think I can boot normally until I reboot into DSRM again.  Because I'm using Retrospect which uses a helper service to finish the restore the system will need to be booted into DSRM right after the restore.  Hm...  Any ideas as to how we will be able to log back into DSRM after the first "part" of the restore?  Would the setpwd work after the first part before the 2nd reboot?  This conversation is what i'm talking about with the Retrospect helper service http://list.dantz.com/pipermail/retro-talk/2005-March/008998.html .

0
Rant32Commented:
<< Would the setpwd work after the first part before the 2nd reboot? >>

I would think so, but I have no experience with Retrospect backup/restore procedures.
The administrator's password is stored in %Systemroot%\System32\config\SAM and a typical system state restore restores that as well. The setpwd changes the password in that SAM file.

Maybe the restore procedure of Retrospect restores only the AD system files (NTDS.DIT and log files) and leaves the SAM intact, you should be able to tell by the file attributes (size, date and time). If the file is touched after a restore, I'd certainly try changing the SAM password directly after the first restore.

OTOH, if it's really a helper *service*, then you need not log on to complete the procedure, true?

Btw, have you tried a blank DSRM password, by any chance?
0
asdsstaffAuthor Commented:
Thanks for your help Rant.  Your solution worked.  We were not able to run the SETPWD command but after the first reboot we let the computer sit at the DSRM login screen and it seemed to finish the update.  We then rebooted normally into the domain.  Whew!
0
Rant32Commented:
Great, glad that worked out.

The SETPWD command should work though (you need to run it from the %systemroot%\system32\config folder iirc) because DSRM can be very useful ;-)

Next thing to think about is... How did this actually occur? If the NTDS database is on an NTFS partition, then you should seriously consider a physical check on some components - test memory, hard drives, etc. Database corruption should not occur with an ESE database stored on an NTFS partition!
0
asdsstaffAuthor Commented:
I'm sure SETPWD will work now that it's fully restored.  But I have to reset the DSRM password inside the domain itself because I cannot login to DSRM right now.  I will do that on monday.  But after the initial restore with Retrospect without going to a reboot tried opening a command prompt and it wouldn't open.  I'm assumming cause the system was in a state of flux with the system just have been replaced with new files.  

Any suggestions or resources on some testing I should/can do to test the DB, etc.  Things to do inside windows that is.  I will run a series of hardware diagnostics as well.  Still not sure why it happened.  
0
asdsstaffAuthor Commented:
I will run some standard tests with NTDSUTIL this weekend.
0
Rant32Commented:
What diagnostic tools to can depend on the vendor. If you have a Compaq/HP/Dell server I suggest running the diagnostic tools provided by the manufacturers.

Good diagnostics will require downtime, however.

For memory tests try http://www.memtest86.com/

Harddrive diagnostics can be performed by Windows scandisk or by tools by the manufacturer of the hard drives (HP, Maxtor, WD, etc).

To test the NTDS, you can perform a defragmentation of the database in DSRM, with ntdsutil. Make sure to make a copy backup of the NTDS directory before doing this.
http://www.jsifaq.com/SUBF/TIP2600/rh2635.htm
0
asdsstaffAuthor Commented:
Okay thanks.  These are the tests I was planning on running.  Thanks again Rant
0
Rant32Commented:
HTH, good luck.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.