Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Windows 2000 Domain won't boot.  Lsass.exe System Error

Posted on 2006-04-14
16
Medium Priority
?
238 Views
Last Modified: 2010-04-13
A clients windows 2000 sp4 domain controller has gone bad.  This is the only domain controller/global catalog etc. It is the entire domain. When I boot it I get the error:

"LSASS.EXE - System Error, security accounts manager initialization failed because of the following error: Directory Services cannot start. Error status 0xc00002e1. Please click OK to shutdown this system and reboot into directory services restore mode, check the event log for more detailed information."

I have read the knowledgebase on the error at http://support.microsoft.com/kb/258062/en-us .

But for some reason we cannot log into the DSRM.  It doesn't accept the password we had for administrator/DSRM password.  I have tried all passwords we have ever used.  Maybe the password hive is corrupt?  We have a Retrospect system state backup of the machine but I think that does me know good unless I can boot into the DSRM to finish the retrospect restore correct? I understand the steps to be:

1.) build windows 2000 server
2.) restore from backup
3.) on reboot after restore log into DSRM (and that's the problem we will have)

 We are lost here.  We need this server back up ASAP.

Is there a way to reset the DSRM password without logging into the domain controller? Or will the Retrospect backup be feasible enough for full active directory restore? Thanks for all your help!

0
Comment
Question by:asdsstaff
  • 8
  • 6
  • 2
16 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16458206
Hi asdsstaff,

the DSRM password was what was specified during initial promotion

Cheers!
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16458233
0
 

Author Comment

by:asdsstaff
ID: 16458757
Jay:  yes i know.  but this was 2 years ago and either we don't have it.  or it is gone??  also the link you provided is for having access to actually login to the server itself.  i cannot boot it normally because of the domain corruption and I cannot login to DSRM.  so i'm really struggling.
0
Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

 
LVL 12

Accepted Solution

by:
Rant32 earned 2000 total points
ID: 16460040
The steps you need are actually a bit different:

1) Setup Windows 2000 with the same service packs
2) Promote to domain controller (then specify a known DSRM password)
3) boot into DSRM
4) Restore a full backup with system state
5) Change the DSRM password as per http://www.petri.co.il/change_recovery_console_password.htm method #1.
8) boot normally
0
 

Author Comment

by:asdsstaff
ID: 16460220
Rant:

I will be trying this is the next couple hours.  After step 4 I will use step 5 Method #1 immediatly before I reboot I assume?   And method #1 will reset the password on the restored data?  I would think that the registry would have to be flushed and reloaded for the possibility to do this.  
0
 
LVL 12

Expert Comment

by:Rant32
ID: 16460252
Well, after stage 4) the domain controller should be able to boot normally. Then you can log on to the server and use 5) to reset the password, doesn't really matter because then you don't need DSRM anymore.

8) should be 6) of course ;-)
0
 

Author Comment

by:asdsstaff
ID: 16460300
Will try today.  Thanks Rant32
0
 

Author Comment

by:asdsstaff
ID: 16460426
Actually now that I'm thinking about it.  After a restore in the DSRM I don't think I can boot normally until I reboot into DSRM again.  Because I'm using Retrospect which uses a helper service to finish the restore the system will need to be booted into DSRM right after the restore.  Hm...  Any ideas as to how we will be able to log back into DSRM after the first "part" of the restore?  Would the setpwd work after the first part before the 2nd reboot?  This conversation is what i'm talking about with the Retrospect helper service http://list.dantz.com/pipermail/retro-talk/2005-March/008998.html .

0
 
LVL 12

Expert Comment

by:Rant32
ID: 16460619
<< Would the setpwd work after the first part before the 2nd reboot? >>

I would think so, but I have no experience with Retrospect backup/restore procedures.
The administrator's password is stored in %Systemroot%\System32\config\SAM and a typical system state restore restores that as well. The setpwd changes the password in that SAM file.

Maybe the restore procedure of Retrospect restores only the AD system files (NTDS.DIT and log files) and leaves the SAM intact, you should be able to tell by the file attributes (size, date and time). If the file is touched after a restore, I'd certainly try changing the SAM password directly after the first restore.

OTOH, if it's really a helper *service*, then you need not log on to complete the procedure, true?

Btw, have you tried a blank DSRM password, by any chance?
0
 

Author Comment

by:asdsstaff
ID: 16462165
Thanks for your help Rant.  Your solution worked.  We were not able to run the SETPWD command but after the first reboot we let the computer sit at the DSRM login screen and it seemed to finish the update.  We then rebooted normally into the domain.  Whew!
0
 
LVL 12

Expert Comment

by:Rant32
ID: 16462182
Great, glad that worked out.

The SETPWD command should work though (you need to run it from the %systemroot%\system32\config folder iirc) because DSRM can be very useful ;-)

Next thing to think about is... How did this actually occur? If the NTDS database is on an NTFS partition, then you should seriously consider a physical check on some components - test memory, hard drives, etc. Database corruption should not occur with an ESE database stored on an NTFS partition!
0
 

Author Comment

by:asdsstaff
ID: 16462253
I'm sure SETPWD will work now that it's fully restored.  But I have to reset the DSRM password inside the domain itself because I cannot login to DSRM right now.  I will do that on monday.  But after the initial restore with Retrospect without going to a reboot tried opening a command prompt and it wouldn't open.  I'm assumming cause the system was in a state of flux with the system just have been replaced with new files.  

Any suggestions or resources on some testing I should/can do to test the DB, etc.  Things to do inside windows that is.  I will run a series of hardware diagnostics as well.  Still not sure why it happened.  
0
 

Author Comment

by:asdsstaff
ID: 16462256
I will run some standard tests with NTDSUTIL this weekend.
0
 
LVL 12

Expert Comment

by:Rant32
ID: 16462267
What diagnostic tools to can depend on the vendor. If you have a Compaq/HP/Dell server I suggest running the diagnostic tools provided by the manufacturers.

Good diagnostics will require downtime, however.

For memory tests try http://www.memtest86.com/

Harddrive diagnostics can be performed by Windows scandisk or by tools by the manufacturer of the hard drives (HP, Maxtor, WD, etc).

To test the NTDS, you can perform a defragmentation of the database in DSRM, with ntdsutil. Make sure to make a copy backup of the NTDS directory before doing this.
http://www.jsifaq.com/SUBF/TIP2600/rh2635.htm
0
 

Author Comment

by:asdsstaff
ID: 16462345
Okay thanks.  These are the tests I was planning on running.  Thanks again Rant
0
 
LVL 12

Expert Comment

by:Rant32
ID: 16465075
HTH, good luck.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Use this step by step method when setting up QuickBooks Online. They will allow you to explore the various features of the advanced settings available to you.
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses
Course of the Month14 days, 3 hours left to enroll

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question