Corrupted Active Directory Database On Windows Server 2003 Member Server
I have a client with an SBS 2003 server. It is running fine.
They also have another server running under the SBS domain server as a member server. It is running Windows Server 2003 Standard Edition. It is also running Windows Terminal Services in Application Mode, SQL Server 2005 Express, IIS and Canon Imageware document management. The member server has Active Directory installed and the AD database became corrupted this past week.
We have it booted in Safe Mode at this time. I tried to run NTDSUTIL integrity checks and tried to repair the corrupted database but I keep getting Jet Error -1018 (Verification Failures) - same problems with ESENTUTL.
Is there some way to copy the AD database from the PDC (SBS 2003 Premium) to the member server to restore the corrupted AD database?
If not, is AD necessary on the member server? Exchange is running on the PDC (as a matter of fact it is the only thing running on the PDC right now).
This is a critical problem - the client's entire business is down as a result since all of their apps run on the member server.
(By the way, I am in New York and the server is in Florida. I have remote access to the member server via RDP and to the PDC via RWW. I am a Microsoft MCP with a Network Infrastructure competency. There is a local consultant handling the problem but he has been unsuccessful in solving it as yet. My client requested my assistance in expediting a solution. I have a strong vested interest since I am the application developer/maintainer of the apps running on TS and IIS on the failed member server.)
They also have another server running under the SBS domain server as a member server. It is running Windows Server 2003 Standard Edition. It is also running Windows Terminal Services in Application Mode, SQL Server 2005 Express, IIS and Canon Imageware document management. The member server has Active Directory installed and the AD database became corrupted this past week.
We have it booted in Safe Mode at this time. I tried to run NTDSUTIL integrity checks and tried to repair the corrupted database but I keep getting Jet Error -1018 (Verification Failures) - same problems with ESENTUTL.
Is there some way to copy the AD database from the PDC (SBS 2003 Premium) to the member server to restore the corrupted AD database?
If not, is AD necessary on the member server? Exchange is running on the PDC (as a matter of fact it is the only thing running on the PDC right now).
This is a critical problem - the client's entire business is down as a result since all of their apps run on the member server.
(By the way, I am in New York and the server is in Florida. I have remote access to the member server via RDP and to the PDC via RWW. I am a Microsoft MCP with a Network Infrastructure competency. There is a local consultant handling the problem but he has been unsuccessful in solving it as yet. My client requested my assistance in expediting a solution. I have a strong vested interest since I am the application developer/maintainer of the apps running on TS and IIS on the failed member server.)
Boot the TS server in Directory restore mode and follow this article
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
before demoting this DC, try copying ntds.dit (AD database) from %SystemRoot%\ntds\NTDS.DIT
ASKER
MrHusy:
Thanks for your input.
I am going to pass on your suggestions to the on-site consultant in Florida.
I cannot copy the ntds.dit database from the SBS Server because it is in use and will not allow it to be copied. The SBS server would need to be brought up up in safe mode a copy made of ntds.dit. I cannot do that remotely.
I am even more interested in your comment about downgrading the second server. That was supposed to have been done long ago. I forgot about it.
I recommended several months ago that they install a terminal server in application server mode. At the time that the terminal server was being installed, the SBS server had a massive failure. So, they installed the new server as a PDC. I explained to them that SBS 2003 will not allow Terminal Services to be installed in application mode, but they needed a replacement PDC immediately so they configured it to be a PDC without Terminal Services. When the replacement SBS server was delivered, I expected them to downgrade the application server to be a member server, not a DC. He made it an application server, but evidently left it set up as a secondary domain controller and left active directory installed.
This client has had long-standing server problems and has not succeeded in finding a competent local expert who is able to clean up the mess once and for all. I do what I can from this end of a phone line and a remote web link.
I'll post the results of the changes as soon as they are made (hopefully tomorrow).
Art Misita
Port Data Resources, Inc. / Tech 2 Go
Thanks for your input.
I am going to pass on your suggestions to the on-site consultant in Florida.
I cannot copy the ntds.dit database from the SBS Server because it is in use and will not allow it to be copied. The SBS server would need to be brought up up in safe mode a copy made of ntds.dit. I cannot do that remotely.
I am even more interested in your comment about downgrading the second server. That was supposed to have been done long ago. I forgot about it.
I recommended several months ago that they install a terminal server in application server mode. At the time that the terminal server was being installed, the SBS server had a massive failure. So, they installed the new server as a PDC. I explained to them that SBS 2003 will not allow Terminal Services to be installed in application mode, but they needed a replacement PDC immediately so they configured it to be a PDC without Terminal Services. When the replacement SBS server was delivered, I expected them to downgrade the application server to be a member server, not a DC. He made it an application server, but evidently left it set up as a secondary domain controller and left active directory installed.
This client has had long-standing server problems and has not succeeded in finding a competent local expert who is able to clean up the mess once and for all. I do what I can from this end of a phone line and a remote web link.
I'll post the results of the changes as soon as they are made (hopefully tomorrow).
Art Misita
Port Data Resources, Inc. / Tech 2 Go
Mr. Husky is right, but I think I would take another approach to it.
Demote the server. That removes the database. If you need it as a domain controller, you can repromote it and force replicate from the SBS to the standard server. That will bring back your AD database.
Demote the server. That removes the database. If you need it as a domain controller, you can repromote it and force replicate from the SBS to the standard server. That will bring back your AD database.
@ChiefIT: in my first post "Do metadata cleanup and demote this additional DC". But demoting this server is not so easy (I encountered this problem before) because this error does not let you boot windows in normal mode. It pops up at start and as you click OK, it restarts itself. It does the same thing in safemode also. Only way is booting in Directory restore mode and removing DC.
@ Art: wait a minute! Is 2003 server the PDC???? If yes do not process any steps above!
ASKER
MrHusy:
No, the PDC is Windows Small Business Server 2003 Premium. The failing server is running Windows 2003 Server Standard and all of the rest (TS, SQL 2005, IIS, etc.) It is defined to the SBS 2003 server as a domain controller instead of just another computer running Windows 2003 Server as its operating system.
I do not see any reason why the TS server needs to be a domain controller or why it needs to have AD installed and running on it. I have a similar network in my own office and do not have AD running on the TS server. The SBS server handles AD for the entire network.
Nobody needs to log in directly to SRVR2 (the TS server). It runs VB.Net apps in TS, an ASP.Net app in IIS and Canon Imageware. Why would it need to have AD installed?
Demoting it or removing DC seems to make perfect sense.
No, the PDC is Windows Small Business Server 2003 Premium. The failing server is running Windows 2003 Server Standard and all of the rest (TS, SQL 2005, IIS, etc.) It is defined to the SBS 2003 server as a domain controller instead of just another computer running Windows 2003 Server as its operating system.
I do not see any reason why the TS server needs to be a domain controller or why it needs to have AD installed and running on it. I have a similar network in my own office and do not have AD running on the TS server. The SBS server handles AD for the entire network.
Nobody needs to log in directly to SRVR2 (the TS server). It runs VB.Net apps in TS, an ASP.Net app in IIS and Canon Imageware. Why would it need to have AD installed?
Demoting it or removing DC seems to make perfect sense.
Perfect. You can safely go on demoting it (othrwise we would have to seize the roles)
"I do not see any reason why the TS server needs to be a domain controller or why it needs to have AD installed and running on it."
Exactly. As I mentioned earlier Microsoft does not approve a scenario in which TS in app mode is installed on a domain controller. It would be unsecure to let many unauthorized people to access a DC. TS shouldnt be on a DC, so just demote it and let it stay as a domain member server.
Well you are off-site, and you can not reach the F8 menu and connect to "Directory restore mode" . It will be difficult on phone :( . Btw doing metadata cleanup wont be enough.
Here is an idea. Use NT backup in SBS and backup tha Active directory database. Then restore it in win2003 server. But be careful, while taking backup, only take the "Active Directory database" not the full system state
Regards
"I do not see any reason why the TS server needs to be a domain controller or why it needs to have AD installed and running on it."
Exactly. As I mentioned earlier Microsoft does not approve a scenario in which TS in app mode is installed on a domain controller. It would be unsecure to let many unauthorized people to access a DC. TS shouldnt be on a DC, so just demote it and let it stay as a domain member server.
Well you are off-site, and you can not reach the F8 menu and connect to "Directory restore mode" . It will be difficult on phone :( . Btw doing metadata cleanup wont be enough.
Here is an idea. Use NT backup in SBS and backup tha Active directory database. Then restore it in win2003 server. But be careful, while taking backup, only take the "Active Directory database" not the full system state
Regards
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
MrHusy:
NTBackup will not let me check the box for NTDS.DIT, the active directory database. When I check the box for the C:\WINDOWS\NTDS folder, the individual files in that folder remain unchecked.
I think a DCPROMO downgrade is going to be the only successful solution.
I sent an email to the Florida consultant "strongly suggesting" that solution (and copied my client). And I sent a separate email to my client suggesting that he pay for a plane ticket, a hotel room and two days of my time and I will fly to Florida and fix the problem for him tomorrow. (I actually hope the consultant will follow the advice and save me the trip)
Thanks for your advice and your time.
Art Misita
NTBackup will not let me check the box for NTDS.DIT, the active directory database. When I check the box for the C:\WINDOWS\NTDS folder, the individual files in that folder remain unchecked.
I think a DCPROMO downgrade is going to be the only successful solution.
I sent an email to the Florida consultant "strongly suggesting" that solution (and copied my client). And I sent a separate email to my client suggesting that he pay for a plane ticket, a hotel room and two days of my time and I will fly to Florida and fix the problem for him tomorrow. (I actually hope the consultant will follow the advice and save me the trip)
Thanks for your advice and your time.
Art Misita
ASKER
Thanks to all for their advice.
You are welcome Art. 1 more suggestion. What brand is the server? HP IBM? maybe we can configure something like ILO and you wont have to go there
btw, you can not back ntds.dit like that. You should expand "System State" while backing up not C:\ drive. Directory database exists under system state.
ASKER
I tried to back up ndts.dit that way as well. All of the checkboxes in the system state are greyed out. There is no way to back up just the Active Directory.
That might be because the server is started in safe mode.
Right now it is in the hands of the owner of the business and his consultant.
I told my client to contact me if he needs me.
I gave the consultants explicit instructions on how to downgrade to a member server.
All I can do now is wait...
That might be because the server is started in safe mode.
Right now it is in the hands of the owner of the business and his consultant.
I told my client to contact me if he needs me.
I gave the consultants explicit instructions on how to downgrade to a member server.
All I can do now is wait...
ASKER
MrHusy:
The consultant did exactly as told and removed AD from SRVR2.
All is back up and running well.
Thanks again.
The consultant did exactly as told and removed AD from SRVR2.
All is back up and running well.
Thanks again.
You are welcome :)
It is an additional domain controller. And TS on a domain controller is not a Microsot approved scenario. So vice versa, AD shouldnt be on TS. Do metadata cleanup and demote this additional DC