Solved

Corrupted Active Directory Database On Windows Server 2003 Member Server

Posted on 2007-11-24
17
1,897 Views
Last Modified: 2010-07-27
I have a client with an SBS 2003 server.  It is running fine.

They also have another server running under the SBS domain server as a member server.  It is running Windows Server 2003 Standard Edition.  It is also running Windows Terminal Services in Application Mode, SQL Server 2005 Express, IIS and Canon Imageware document management.  The member server has Active Directory installed and the AD database became corrupted this past week.

We have it booted in Safe Mode at this time.  I tried to run NTDSUTIL integrity checks and tried to repair the corrupted database but I keep getting Jet Error -1018 (Verification Failures) - same problems with ESENTUTL.

Is there some way to copy the AD database from the PDC (SBS 2003 Premium) to the member server to restore the corrupted AD database?

If not, is AD necessary on the member server?  Exchange is running on the PDC (as a matter of fact it is the only thing running on the PDC right now).

This is a critical problem - the client's entire business is down as a result since all of their apps run on the member server.

(By the way, I am in New York and the server is in Florida.  I have remote access to the member server via RDP and to the PDC via RWW.  I am a Microsoft MCP with a Network Infrastructure competency.  There is a local consultant handling the problem but he has been unsuccessful in solving it as yet.  My client requested my assistance in expediting a solution.  I have a strong vested interest since I am the application developer/maintainer of the apps running on TS and IIS on the failed member server.)
0
Comment
Question by:portdata
  • 10
  • 6
17 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20344436
"If not, is AD necessary on the member server? "
    It is an additional domain controller. And TS on a domain controller is not a Microsot approved scenario. So vice versa, AD shouldnt be on TS. Do metadata cleanup and demote this additional DC
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20344444
Boot the TS server in Directory restore mode and follow this article
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20344448
before demoting this DC, try copying ntds.dit (AD database) from %SystemRoot%\ntds\NTDS.DIT in SBS to %SystemRoot%\ntds\NTDS.DIT in win2003 TS (never tried but might work)
0
 

Author Comment

by:portdata
ID: 20344541
MrHusy:

Thanks for your input.

I am going to pass on your suggestions to the on-site consultant in Florida.

I cannot copy the ntds.dit database from the SBS Server because it is in use and will not allow it to be copied.  The SBS server would need to be brought up up in safe mode a copy made of ntds.dit.  I cannot do that remotely.

I am even more interested in your comment about downgrading the second server.  That was supposed to have been done long ago.  I forgot about it.  

I recommended several months ago that they install a terminal server in application server mode.  At the time that the terminal server was being installed, the SBS server had a massive failure.  So, they installed the new server as a PDC.  I explained to them that SBS 2003 will not allow Terminal Services to be installed in application mode, but they needed a replacement PDC immediately so they configured it to be a PDC without Terminal Services.  When the replacement SBS server was delivered, I expected them to downgrade the application server to be a member server, not a DC.  He made it an application server, but evidently left it set up as a secondary domain controller and left active directory installed.

This client has had long-standing server problems and has not succeeded in finding a competent local expert who is able to clean up the mess once and for all.  I do what I can from this end of a phone line and a remote web link.

I'll post the results of the changes as soon as they are made (hopefully tomorrow).

Art Misita
Port Data Resources, Inc. / Tech 2 Go
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 20344876
Mr. Husky is right, but I think I would take another approach to it.

Demote the server. That removes the database. If you need it as a domain controller, you can repromote it and force replicate from the SBS to the standard server. That will bring back your AD database.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20345456
@ChiefIT: in my first post "Do metadata cleanup and demote this additional DC". But demoting this server is not so easy (I encountered this problem before) because this error does not let you boot windows in normal mode. It pops up at start and as you click OK, it restarts itself. It does the same thing in safemode also. Only way is booting in Directory restore mode and removing DC.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20345459
@ Art: wait a minute! Is 2003 server the PDC???? If yes do not process any steps above!
0
 

Author Comment

by:portdata
ID: 20345577
MrHusy:

No, the PDC is Windows Small Business Server 2003 Premium.  The failing server is running Windows 2003 Server Standard and all of the rest (TS, SQL 2005, IIS, etc.)  It is defined to the SBS 2003 server as a domain controller instead of just another computer running Windows 2003 Server as its operating system.

I do not see any reason why the TS server needs to be a domain controller or why it needs to have AD installed and running on it.  I have a similar network in my own office and do not have AD running on the TS server.  The SBS server handles AD for the entire network.

Nobody needs to log in directly to SRVR2 (the TS server).  It runs VB.Net apps in TS, an ASP.Net app in IIS and Canon Imageware.  Why would it need to have AD installed?

Demoting it or removing DC seems to make perfect sense.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20345621
  Perfect. You can safely go on demoting it (othrwise we would have to seize the roles)
   
"I do not see any reason why the TS server needs to be a domain controller or why it needs to have AD installed and running on it."
    Exactly. As I mentioned earlier Microsoft does not approve a scenario in which TS in app mode is installed on a domain controller. It would be unsecure to let many unauthorized people to access a DC. TS shouldnt be on a DC, so just demote it and let it stay as a domain member server.
    Well you are off-site, and you can not reach the F8 menu and connect to "Directory restore mode" . It will be difficult on phone :( . Btw doing metadata cleanup wont be enough.
   Here is an idea. Use NT backup in SBS and backup tha Active directory database. Then restore it in win2003 server. But be careful, while taking backup, only take the "Active Directory database" not the full system state

Regards
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 20345673
 If backup thing fails, try dcpromo /forceremoval in Directory servces restore mode
0
 

Author Comment

by:portdata
ID: 20345876
MrHusy:

NTBackup will not let me check the box for NTDS.DIT, the active directory database.  When I check the box for the C:\WINDOWS\NTDS folder, the individual files in that folder remain unchecked.

I think a DCPROMO downgrade is going to be the only successful solution.

I sent an email to the Florida consultant "strongly suggesting" that solution (and copied my client).  And I sent a separate email to my client suggesting that he pay for a plane ticket, a hotel room and two days of my time and I will fly to Florida and fix the problem for him tomorrow.  (I actually hope the consultant will follow the advice and save me the trip)

Thanks for your advice and your time.

Art Misita
0
 

Author Closing Comment

by:portdata
ID: 31410803
Thanks to all for their advice.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20345984
You are welcome Art. 1 more suggestion. What brand is the server? HP IBM? maybe we can configure something like ILO and you wont have to go there
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20346130
btw, you can not back ntds.dit like that. You should expand "System State" while backing up not C:\ drive. Directory database exists under system state.
0
 

Author Comment

by:portdata
ID: 20346308
I tried to back up ndts.dit that way as well.  All of the checkboxes in the system state are greyed out.  There is no way to back up just the Active Directory.

That might be because the server is started in safe mode.

Right now it is in the hands of the owner of the business and his consultant.

I told my client to contact me if he needs me.

I gave the consultants explicit instructions on how to downgrade to a member server.

All I can do now is wait...
0
 

Author Comment

by:portdata
ID: 20353068
MrHusy:

The consultant did exactly as told and removed AD from SRVR2.

All is back up and running well.

Thanks again.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20353327
You are welcome :)
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now