Solved

Windows Server 2003 R2 "Directory Service cannot start" problem

Posted on 2009-04-07
8
5,396 Views
Last Modified: 2012-05-06
I use a Windows 2003 Server as a file server, Domain Controller and Exchange 2003 server. The config stays pretty much the same all the time - I never add or delete users or change the AD settings. So I've been lazy about backups and don't have any recent backups (all well over 90 days old). This morning, it fails during bootup with "Directory Service cannot start - click ok to shutdown and restart in Directory Services Restore Mode". It would not be a disaster if I had to rebuild it from scratch except that it has a lot of stored emails in the Exchange server.

I'm able to log in under Directory Services Restore Mode, but cannot run exmerge.exe to extract the emails from Exchange because it appears to need the Directory Services. If I restore the System State using one of my old backups, there is a risk that it will trash everything because the backup is too old (more than the "tombstone" date). Is there a solution?
0
Comment
Question by:feptias
  • 4
  • 2
  • 2
8 Comments
 
LVL 15

Expert Comment

by:zelron22
Comment Utility
Any error messages in the logs, or pop-ups?
0
 
LVL 19

Author Comment

by:feptias
Comment Utility
Pop-up during boot says roughly what I quoted above "Directory Service cannot start - click ok to shutdown and restart in Directory Services Restore Mode". Once logged in, the event log for Directory Service has the following errors:
NTDS ISAM, Event ID 454, NTDS (464) NTDSA: Database recovery/restore failed with unexpected error -501.
NTDS General, Event ID 1168, Internal error: An Active Directory error has occurred, additional data: Error value (decimal) -501,  hex fffffe0b, Internal ID 40749
NTDS General, Event ID 1003, Active Directory could not be initialised. The operating system cannot recover from this error. User Action: Restore the local domain controller from backup media.

It doesn't sound good, does it!
(I'll be out for about 1 hour now - got to see the dentist. Not my lucky day!!)
0
 
LVL 15

Assisted Solution

by:zelron22
zelron22 earned 250 total points
Comment Utility
Woof.  It doesn't look good.  You might try this thread http://www.winserverhelp.com/ftopic39017.html

Otherwise, I'd recommend calling Microsoft's PSS and see if they can help.
0
 
LVL 19

Accepted Solution

by:
feptias earned 0 total points
Comment Utility
I'm posting an update in case some of the suggestions or links may be useful to others with the same problem.

Zelron22, your link led me to this article, but the suggestions there did not fix my problem:
http://support.microsoft.com/kb/258062/en-us
So I raised a "break-fix" issue with Microsoft and they suggested various remedies summarised here:

1. Check NTDS folder permission under C:\Windows:
Account Permissions;  System Full Control;  Administrators Full Control;  Creator Owner Full Control
Local Service Create Folders / Append Data

2. Boot the server in Directory Services Restore Mode, then run the following:
Ntdsutil-> Files -> Recover  (Wait for the soft recovery to be finished)
If the soft recovery succeeds, you will be back to the "file maintenance:" prompt;
Type in "quit" -> "Semantic database analysis" -> "Go fixup".
If that fails, try:
esentutl /g "c:\windows\ntds\ntds.dit"  
esentutl /p "c:\windows\ntds\ntds.dit"
(Caution: I read somewhere that certain directory repair options may be potentially harmful to the directory database in the long term and so should only be tried as a last resort)

Microsoft directed me to some other Technical KB articles as follows:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;232122
http://support.microsoft.com/default.aspx?scid=KB;EN-US;315131

However, what finally fixed it was that I renamed all the *.log files in Windows\NTDS to a name that did not end with ".log", then rebooted in normal mode and it was ok again. Windows re-created the log files.

With hindsight, the problem appears to have been with the NTDS log files and there were a couple of events in the Windows system log that pointed to that possibility (sorry should have included them in my earlier response). They were:
NTDS ISAM, Event 477, NTDS (464) NTDSA: The log range read from the file
"C:\WINDOWS\NTDS\edb.log" at offset 4319232 (0x000000000041e800) for 512
(0x00000200) bytes failed verification due to a range checksum mismatch.  The
read operation will fail with error -501 (0xfffffe0b).  If this condition
persists then please restore the logfile from a previous backup.

NTDS ISAM, Event 465, NTDS (464) NTDSA: Corruption was detected during soft
recovery in logfile C:\WINDOWS\NTDS\edb.log. The failing checksum record is
located at position END. Data not matching the log-file fill pattern first
appeared in sector 8437 (0x000020F5). This logfile has been damaged and is
unusable.

I did not have to resort to restoring anything from my old backup, but only time will tell if the system is now stable. By the way, Microsoft also recommended excluding C:\Windows\NTDS folder from any AV scanning.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 6

Assisted Solution

by:bdesmond
bdesmond earned 125 total points
Comment Utility
In addition to the antivirus exclusions you need to test the I/O subsystem on this box. It has problems. Update the drivers for the controller as well while you're at it. Firmware, etc.


Thanks,
Brian Desmond
Active Directory MVP
0
 
LVL 19

Author Comment

by:feptias
Comment Utility
Hi Brian. Your contribution is much appreciated, but can you point me in the right direction as to how I set about "testing the I/O subsystem" please?

For info: The server has a pair of mirrored Western Digital SATA hard disks using the onboard Intel 82801FR RAID controller on an ASUS P5GD1 motherboard. RAID management software is Intel Matrix and it reports the status of both disks as normal. It has 2GB of memory.

I suspect that one of the contributory factors to the problems I see on this server (this is not the first problem it has had) is the fact that I shut it down every evening and restart it again the next morning. It seems to me that Windows Server is much happier when left running 24x7. The fact that it is a DC and has Exchange 2003 installed on it may also not help, but it does not get heavily used for anything.
0
 
LVL 6

Expert Comment

by:bdesmond
Comment Utility
Gracefully shutting down a server should not cause physical corruption of a file. If you're just pulling the plug then yes this probably will happen. The box should be fine being shut down everyday although for an email server that seems kind of odd.

Typically the manufacturer provides hardware diagnostics tools.

Thanks,
Brian Desmond
Active Directory MVP
0
 
LVL 19

Author Comment

by:feptias
Comment Utility
Brian, the server is always shut down gracefully.

That installation of Exchange is not my main email server - I use it only as a test machine and also as a local store for a couple of email accounts that get downloaded from POP3 mail boxes on the Internet. It was useful to store the downloaded mails on Exchange because then they were accessible from any PC on my LAN (via Outlook). The more usual POP3 download - direct to the workstation - means you can only look at old emails if you are sat in front of the same workstation that downloaded them.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now