Directory services

You probably have already spotted it but MS has an article here:
http://support.microsoft.com/kb/810411

sorry please ignore my dumb post above, i just re-read that and realised i am way off the mark - ive posted an exchange fix not an AD fix. Im looking for a book that they gave us at an AD troubleshooting course that has all the error codes and fixes in it but damned if i can find it. Hopefully it is at home - will post it up if i find it.

cheers.

This is the stuff that we got in an AD course on repairing this type of stuff, i havnt re-read all of it, and cant guarantee its exactly what you are after, but am posting it in case there is something in here you can use:

Did you check the available Disk space?

the specified issue may caused by corrupted AD
database. If you have a recent backup I recommend you to perform restore
operation to resolve the issue.



However if the backup is not recent, and you'll loose many objects you can
try to repair the Database, In some situation, certain configurations will
be lost with this procedure.

Before you start the computer in Directory Services Restore Mode, obtain the
password for the offline administrator account.

For more information about how to change the password in Windows Server
2003, click the following article number to view the article in the
Microsoft Knowledge Base

http://support.microsoft.com/kb/322672/

"Directory Services cannot start" error message when you start your
Windows-based or SBS-based domain controller
http://support.microsoft.com/?id=258062

Next step:

How to Recover the Database and if it fails try How to Repair the Database
(Be careful withis last one read carefully)

http://support.microsoft.com/default...b;en-us;315131

How to complete a semantic database analysis for the Active Directory
database by using Ntdsutil.exe
http://support.microsoft.com/default...b;en-us;315136







If you fail to repair a corrupted Active Directory, try the following:
You may try the following steps to recover the corrupted Active Directory.

1. Reboot the server and press F8. Choose Directory Services Restore Mode
from the Menu.
2. Check the physical location of the Winnt\NTDS\ folder.
3. Check the permissions on the \Winnt\NTDS folder.



The default permissions are:

Administrators - Full Control
System - Full Control

4. Check the Winnt\Sysvol\Sysvol folder to make sure it is shared.
5. Check the permissions on the Winnt\Sysvol\Sysvol share.



The default permissions are:

Share Permissions:
Administrators - Full Control
Authenticated Users - Full Control
Everyone - Read

NTFS Permissions:
Administrators - Full Control
Authenticated Users - Read & Execute, List Folder Contents, Read
Creator Owner - none
Server Operators - Read & Execute, List Folder Contents, Read
System - Full Control

Note: You may not be able to change the permissions on these folders if the
Active Directory database is unavailable because it is damaged, however it
is best to know if the permissions are set correctly before you start the
recovery process, as it may not be the database that is the problem.

6. Make sure there is a folder in the Sysvol share labeled with the correct
name for their domain.
7. Open a command prompt and run NTDSUTIL to verify the paths for the
NTDS.dit file. These should match the physical structure from Step 2

To check the file paths type the following commands:

NTDSUTIL <enter>
Files <enter>
Info <enter>

The output should look similar to:

Drive Information:

C:\ NTFS (Fixed Drive) free (2.9 Gb) total (3.9 Gb)
D:\ NTFS (Fixed Drive) free (3.6 Gb) total (3.9 Gb)

DS Path Information:

Database : C:\WINNT\NTDS\ntds.dit - 10.1 Mb
Backup dir: C:\WINNT\NTDS\dsadata.bak
Working dir: C:\WINNT\NTDS
Log dir : C:\WINNT\NTDS - 30.0 Mb total
res2.log - 10.0 Mb
res1.log - 10.0 Mb
edb.log - 10.0 Mb

This information is pulled directly from the registry and mismatched paths
will cause Active Directory not to start. Type Quit to end the NTDSUTIL
session.

8. Rename the edb.chk file and try to boot to Normal mode. If that fails,
proceed with the next steps.

9. Reboot into Directory Services Restore mode again. At the command prompt,
use the ESENTUTL to check the integrity of the database.
NOTE: You can use NTDSUTIL to check the Integrity, however esentutl is
usually more reliable.

Type the following command:
ESENTUTL /g "<path>\NTDS.dit" /!10240 /8 /v /x /o <enter>
(Note: Type the path without the quotes).

Note: The default path would be C:\Winnt\NTDS\ntds.dit; however it may be
different in some cases.

The output will tell you if the database is inconsistent and may produce a
jet_error 1206 stating that the database is corrupt. If the database is
inconsistent or corrupt it will need to be recovered or repaired . To
recover the database type the following at the command prompt:

NTDSUTIL <enter>
Files<enter>
Recover <enter>

If this fails with an error, type quit until back at the command prompt and
repair the database using ESENTUTL by typing the following:

ESENTUTL /p "<path>\NTDS.dit" /!10240 /8 /v /x /o <enter>
(Note: Type the path without the quotes).

Note: If you do not put the switches at the end of the command you will
most likely get a Jet_error 1213 "Page size mismatch" error.

10. Delete the log files in the NTDS directory, but do not delete or move
the ntds.dit file.
11. The NTDSUTIL tool needs to be run again to check the Integrity of the
database and to perform a Semantic Database analysis.

To check the integrity, at the command prompt type:

NTDSUTIL <enter>
Files <enter>
Integrity <enter>

The output should tell you that the integrity check completed successfully
and prompt that you should perform a Semantic Database Analysis.

Type quit.

To perform the Semantic Database Analysis type the following at the NTDSUTIL
Prompt type:

Semantic Database Analysis <enter>
Go <enter>

The output will tell you that the Analysis completed successfully.
Type quit and closes the command prompt.

NOTE: If you get errors running the Analysis then type the following at the
semantic checker prompt:

semantic checker: go fix <enter>

This puts the checker in Fixup mode, which should fix whatever errors there
were.

12. Reboot the server to Normal Mode.

If any of these steps fail to recover the database the only alternative is
to perform an Authoritative System State restore from backup in Directory
Services Restore mode.

For more information, please refer to the following articles:

315136 HOW TO: Complete a Semantic Database Analysis for the Active
Directory
http://support.microsoft.com/?id=315136

265706 DCDiag and NetDiag in Windows 2000 Facilitate Domain Join and DC
Creation
http://support.microsoft.com/?id=265706

258007 Error Message: Lsass.exe - System Error : Security Accounts Manager
http://support.microsoft.com/?id=258007

265089 Event 1168: Windows 2000 DCs Unable to Boot into Active Directory
http://support.microsoft.com/?id=265089

315131 HOW TO: Use Ntdsutil to Manage Active Directory Files from the
Command
http://support.microsoft.com/?id=315131

I tried all that and it told me that the recovery was good, however when I boot the server again I am getting the 474 and a 1018 error

474 is as before

1018  is about online defrag of NTDS database and is saying it terminated prematurely after encountering an error, can you reccommend anything I can do next??

Hmmm, i threw your question around the office at work and the key thing that everyone suggested first and foremost is if you possibly can afford it call microsoft PSS - 1800 800 142. They will charge you for the service but it is quite reasonable - someone threw up a number of $240 to get the call logged (but that could be a guess), and they absolutely kick ass. Our company makes us go through them for this type of stuff even if we believe we are cool with it.

Failing that what people seemed to think is you are in for a nasty Authorative restore. But when we looked it up in all our doco - it somes back to the "CALL PSS!", it says it about three times through the authorative restore guide.

If it does come down to authorative restore using NTDSUTIL, it will be a matter of restoring a copy of the last good backup, the one prior to the first event log error.

But to be honest - i would definately not take my advise on the authorative restore. I would seek out help from PSS, those guys truly are guns at AD. Sorry i couldnt be any more help.

Let us know how it resolves, because it is a really interesting (but challenging) problem by the sounds of it.


 

Rang them they want $390 to log a support call, cannot find out how much their agreements cost

Oh, well i suppose that a fair bit. But depending on the size of your company it could be well worth it. How far back does the error go? Because if you go down the authorative restore path you will lose changes back to the backup before that point.

(Just a note: There is a user on this forum called LauraHunter who is an absolute gun at this stuff too, you may be able to do a search for jobs she has had something to do with).

if this problem is in active directory could I not take the active directory off this server, this is the server that holds all the main roles as it was the first one built.  Do you know the procedure for removing all the roles off and then putting them back?  This problem came up when we had a raid failure, so initially the problem was hardware, but some data obviously got corrupted and is still corrupted, although we have replaced the drive, does that give you any idea's.  We have other domain controllers in the domain.

@chadduffey,

your post at 20182850, helps me... Thank you very much!!!
You save my carreer!!!