Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Corrupted Active Directory Database On Windows Server 2003 Member Server

Posted on 2007-11-24
17
Medium Priority
?
1,919 Views
Last Modified: 2010-07-27
I have a client with an SBS 2003 server.  It is running fine.

They also have another server running under the SBS domain server as a member server.  It is running Windows Server 2003 Standard Edition.  It is also running Windows Terminal Services in Application Mode, SQL Server 2005 Express, IIS and Canon Imageware document management.  The member server has Active Directory installed and the AD database became corrupted this past week.

We have it booted in Safe Mode at this time.  I tried to run NTDSUTIL integrity checks and tried to repair the corrupted database but I keep getting Jet Error -1018 (Verification Failures) - same problems with ESENTUTL.

Is there some way to copy the AD database from the PDC (SBS 2003 Premium) to the member server to restore the corrupted AD database?

If not, is AD necessary on the member server?  Exchange is running on the PDC (as a matter of fact it is the only thing running on the PDC right now).

This is a critical problem - the client's entire business is down as a result since all of their apps run on the member server.

(By the way, I am in New York and the server is in Florida.  I have remote access to the member server via RDP and to the PDC via RWW.  I am a Microsoft MCP with a Network Infrastructure competency.  There is a local consultant handling the problem but he has been unsuccessful in solving it as yet.  My client requested my assistance in expediting a solution.  I have a strong vested interest since I am the application developer/maintainer of the apps running on TS and IIS on the failed member server.)
0
Comment
Question by:portdata
  • 10
  • 6
17 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20344436
"If not, is AD necessary on the member server? " 
    It is an additional domain controller. And TS on a domain controller is not a Microsot approved scenario. So vice versa, AD shouldnt be on TS. Do metadata cleanup and demote this additional DC
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20344444
Boot the TS server in Directory restore mode and follow this article
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20344448
before demoting this DC, try copying ntds.dit (AD database) from %SystemRoot%\ntds\NTDS.DIT in SBS to %SystemRoot%\ntds\NTDS.DIT in win2003 TS (never tried but might work)
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:portdata
ID: 20344541
MrHusy:

Thanks for your input.

I am going to pass on your suggestions to the on-site consultant in Florida.

I cannot copy the ntds.dit database from the SBS Server because it is in use and will not allow it to be copied.  The SBS server would need to be brought up up in safe mode a copy made of ntds.dit.  I cannot do that remotely.

I am even more interested in your comment about downgrading the second server.  That was supposed to have been done long ago.  I forgot about it.  

I recommended several months ago that they install a terminal server in application server mode.  At the time that the terminal server was being installed, the SBS server had a massive failure.  So, they installed the new server as a PDC.  I explained to them that SBS 2003 will not allow Terminal Services to be installed in application mode, but they needed a replacement PDC immediately so they configured it to be a PDC without Terminal Services.  When the replacement SBS server was delivered, I expected them to downgrade the application server to be a member server, not a DC.  He made it an application server, but evidently left it set up as a secondary domain controller and left active directory installed.

This client has had long-standing server problems and has not succeeded in finding a competent local expert who is able to clean up the mess once and for all.  I do what I can from this end of a phone line and a remote web link.

I'll post the results of the changes as soon as they are made (hopefully tomorrow).

Art Misita
Port Data Resources, Inc. / Tech 2 Go
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 20344876
Mr. Husky is right, but I think I would take another approach to it.

Demote the server. That removes the database. If you need it as a domain controller, you can repromote it and force replicate from the SBS to the standard server. That will bring back your AD database.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20345456
@ChiefIT: in my first post "Do metadata cleanup and demote this additional DC". But demoting this server is not so easy (I encountered this problem before) because this error does not let you boot windows in normal mode. It pops up at start and as you click OK, it restarts itself. It does the same thing in safemode also. Only way is booting in Directory restore mode and removing DC.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20345459
@ Art: wait a minute! Is 2003 server the PDC???? If yes do not process any steps above!
0
 

Author Comment

by:portdata
ID: 20345577
MrHusy:

No, the PDC is Windows Small Business Server 2003 Premium.  The failing server is running Windows 2003 Server Standard and all of the rest (TS, SQL 2005, IIS, etc.)  It is defined to the SBS 2003 server as a domain controller instead of just another computer running Windows 2003 Server as its operating system.

I do not see any reason why the TS server needs to be a domain controller or why it needs to have AD installed and running on it.  I have a similar network in my own office and do not have AD running on the TS server.  The SBS server handles AD for the entire network.

Nobody needs to log in directly to SRVR2 (the TS server).  It runs VB.Net apps in TS, an ASP.Net app in IIS and Canon Imageware.  Why would it need to have AD installed?

Demoting it or removing DC seems to make perfect sense.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20345621
  Perfect. You can safely go on demoting it (othrwise we would have to seize the roles)
   
"I do not see any reason why the TS server needs to be a domain controller or why it needs to have AD installed and running on it."
    Exactly. As I mentioned earlier Microsoft does not approve a scenario in which TS in app mode is installed on a domain controller. It would be unsecure to let many unauthorized people to access a DC. TS shouldnt be on a DC, so just demote it and let it stay as a domain member server.
    Well you are off-site, and you can not reach the F8 menu and connect to "Directory restore mode" . It will be difficult on phone :( . Btw doing metadata cleanup wont be enough.
   Here is an idea. Use NT backup in SBS and backup tha Active directory database. Then restore it in win2003 server. But be careful, while taking backup, only take the "Active Directory database" not the full system state

Regards
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 2000 total points
ID: 20345673
 If backup thing fails, try dcpromo /forceremoval in Directory servces restore mode
0
 

Author Comment

by:portdata
ID: 20345876
MrHusy:

NTBackup will not let me check the box for NTDS.DIT, the active directory database.  When I check the box for the C:\WINDOWS\NTDS folder, the individual files in that folder remain unchecked.

I think a DCPROMO downgrade is going to be the only successful solution.

I sent an email to the Florida consultant "strongly suggesting" that solution (and copied my client).  And I sent a separate email to my client suggesting that he pay for a plane ticket, a hotel room and two days of my time and I will fly to Florida and fix the problem for him tomorrow.  (I actually hope the consultant will follow the advice and save me the trip)

Thanks for your advice and your time.

Art Misita
0
 

Author Closing Comment

by:portdata
ID: 31410803
Thanks to all for their advice.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20345984
You are welcome Art. 1 more suggestion. What brand is the server? HP IBM? maybe we can configure something like ILO and you wont have to go there
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20346130
btw, you can not back ntds.dit like that. You should expand "System State" while backing up not C:\ drive. Directory database exists under system state.
0
 

Author Comment

by:portdata
ID: 20346308
I tried to back up ndts.dit that way as well.  All of the checkboxes in the system state are greyed out.  There is no way to back up just the Active Directory.

That might be because the server is started in safe mode.

Right now it is in the hands of the owner of the business and his consultant.

I told my client to contact me if he needs me.

I gave the consultants explicit instructions on how to downgrade to a member server.

All I can do now is wait...
0
 

Author Comment

by:portdata
ID: 20353068
MrHusy:

The consultant did exactly as told and removed AD from SRVR2.

All is back up and running well.

Thanks again.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20353327
You are welcome :)
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question