• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2133
  • Last Modified:

Domain Controller Services not starting Event 1168.

Our win2k3 sp1 Domain controller crashed over night and now it will not run on the Domain.  When you start it up all server related services fail(DNS DHCP RPC, Server, etc.).

I get an even on start up that seems to trigger it all of event id:1168

Event Type:      Error
Event Source:      NTDS General
Event Category:      Internal Processing
Event ID:      1168
Date:            6/15/2006
Time:            3:40:29 AM
User:            N/A
Computer:      JMPSERVER1
Description:
Internal error: An Active Directory error has occurred.
 
Additional Data
Error value (decimal):
1053
Error value (hex):
41d
Internal ID:
30004df

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I have ran an integrity check on ntds.dit using ntdsutil which was successful.

I cant get this thing working should i do a ntdsutil recover?

0
JMPENG
Asked:
JMPENG
  • 6
  • 4
1 Solution
 
Kini pradeepPrincipal Cloud and security consultantCommented:
is there an event 1003, The Windows Directory Service database could not be initialized and returned error <error code>. Unrecoverable error, the directory can't continue.

if so then the AD database could be corrupt.
do you have any other Dc's in the dopmain.
if so then you could run esentutl tool, to repair the database. semantic database analysis in ntdsutil would run clean and report no errors.

0
 
Kini pradeepPrincipal Cloud and security consultantCommented:
by any chance do you happen to have a good / recent system state backup ?

0
 
JMPENGAuthor Commented:
I don't get 1003.
I seem to get these errors on start up.

1168, 2088, 1824, then 1473.

I do ahve another DC, I have ran semantic database analysis, it was successful

And do to some other problems we were having I have no good recent backup.
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
Kini pradeepPrincipal Cloud and security consultantCommented:
lets check whether the Ldap can bind.
from the other Dc or any comp where the support tools are installed, can you run a dcdiag /v /s:name of the problem dc >dcdiag.txt.
its bound to fail on Ldap bind, can you give me the Ldap bind error (is it 55)
0
 
JMPENGAuthor Commented:
Domain Controller Diagnosis

Performing initial setup:
   * Connecting to directory service on server jmpserver1.
   ["Problem dc"] LDAP search failed with error 58,
   The specified server cannot perform the requested operation..
   ***Error: The machine, "problem dc" could not be contacted, because of a bad

   net  response.  Check to make sure that this machine is a Domain Controller.

0
 
JMPENGAuthor Commented:
I think I have given up on this thing.  It was the master of all roles, so should I do a role seize with ntdsutil?  
0
 
Kini pradeepPrincipal Cloud and security consultantCommented:
yes you can seize all the roles to the other Dc, make sure that its a GC as well.
after that do a metadata cleanup on the other DC.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;216498 so that  any traces of the old Dc  remove them from the DNS as well.
once thats done you can join this machine to the domain.

if a Dc does not boot in the normal mode due to any reason, and you want to demote it, you need not reinstall the OS, what you can do is in the registry go to the registry.

HKLM\system\ccs\control\productoptions under that there is a reg string value called product type
for DC its LanmanNT
member server its ServerNT and for normal w/s its WinNT.
so to demote the DC, change it to ServerNT and reboot, then you need to promote it into a new forest/new domain to remove the AD traces from it, basically promote it in a dummy forest and then demote it using DCpromo which will be a graceful demotion, it helps because it does not leave any traces of the original domain. once thats done reboot again, add it to the correct domain and then promote it as a DC.


The LDAP error could be either due to winsock corruption or some other driver is overriding the default, if thats the case then you might come across the same problem again , in which case you would have to recreate winsock. (i got this info from a buddy who is a PSS engineer at MS)
0
 
Kini pradeepPrincipal Cloud and security consultantCommented:
if its a winsock corruption then netdiag should let you know about it.

run netdiag /v /s: server

0
 
JMPENGAuthor Commented:
Alright I have seized the roles and moved the services.  Everything seems to be stable for now.  Thanks for all the help kprad.
0
 
Kini pradeepPrincipal Cloud and security consultantCommented:
no problem, you are welcome.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now