?
Solved

Windows Server 2003 R2 "Directory Service cannot start" problem

Posted on 2009-04-07
8
Medium Priority
?
5,505 Views
Last Modified: 2012-05-06
I use a Windows 2003 Server as a file server, Domain Controller and Exchange 2003 server. The config stays pretty much the same all the time - I never add or delete users or change the AD settings. So I've been lazy about backups and don't have any recent backups (all well over 90 days old). This morning, it fails during bootup with "Directory Service cannot start - click ok to shutdown and restart in Directory Services Restore Mode". It would not be a disaster if I had to rebuild it from scratch except that it has a lot of stored emails in the Exchange server.

I'm able to log in under Directory Services Restore Mode, but cannot run exmerge.exe to extract the emails from Exchange because it appears to need the Directory Services. If I restore the System State using one of my old backups, there is a risk that it will trash everything because the backup is too old (more than the "tombstone" date). Is there a solution?
0
Comment
Question by:feptias
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
8 Comments
 
LVL 15

Expert Comment

by:zelron22
ID: 24087248
Any error messages in the logs, or pop-ups?
0
 
LVL 19

Author Comment

by:feptias
ID: 24087469
Pop-up during boot says roughly what I quoted above "Directory Service cannot start - click ok to shutdown and restart in Directory Services Restore Mode". Once logged in, the event log for Directory Service has the following errors:
NTDS ISAM, Event ID 454, NTDS (464) NTDSA: Database recovery/restore failed with unexpected error -501.
NTDS General, Event ID 1168, Internal error: An Active Directory error has occurred, additional data: Error value (decimal) -501,  hex fffffe0b, Internal ID 40749
NTDS General, Event ID 1003, Active Directory could not be initialised. The operating system cannot recover from this error. User Action: Restore the local domain controller from backup media.

It doesn't sound good, does it!
(I'll be out for about 1 hour now - got to see the dentist. Not my lucky day!!)
0
 
LVL 15

Assisted Solution

by:zelron22
zelron22 earned 1000 total points
ID: 24087670
Woof.  It doesn't look good.  You might try this thread http://www.winserverhelp.com/ftopic39017.html

Otherwise, I'd recommend calling Microsoft's PSS and see if they can help.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 19

Accepted Solution

by:
feptias earned 0 total points
ID: 24121673
I'm posting an update in case some of the suggestions or links may be useful to others with the same problem.

Zelron22, your link led me to this article, but the suggestions there did not fix my problem:
http://support.microsoft.com/kb/258062/en-us
So I raised a "break-fix" issue with Microsoft and they suggested various remedies summarised here:

1. Check NTDS folder permission under C:\Windows:
Account Permissions;  System Full Control;  Administrators Full Control;  Creator Owner Full Control
Local Service Create Folders / Append Data

2. Boot the server in Directory Services Restore Mode, then run the following:
Ntdsutil-> Files -> Recover  (Wait for the soft recovery to be finished)
If the soft recovery succeeds, you will be back to the "file maintenance:" prompt;
Type in "quit" -> "Semantic database analysis" -> "Go fixup".
If that fails, try:
esentutl /g "c:\windows\ntds\ntds.dit"  
esentutl /p "c:\windows\ntds\ntds.dit"
(Caution: I read somewhere that certain directory repair options may be potentially harmful to the directory database in the long term and so should only be tried as a last resort)

Microsoft directed me to some other Technical KB articles as follows:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;232122
http://support.microsoft.com/default.aspx?scid=KB;EN-US;315131

However, what finally fixed it was that I renamed all the *.log files in Windows\NTDS to a name that did not end with ".log", then rebooted in normal mode and it was ok again. Windows re-created the log files.

With hindsight, the problem appears to have been with the NTDS log files and there were a couple of events in the Windows system log that pointed to that possibility (sorry should have included them in my earlier response). They were:
NTDS ISAM, Event 477, NTDS (464) NTDSA: The log range read from the file
"C:\WINDOWS\NTDS\edb.log" at offset 4319232 (0x000000000041e800) for 512
(0x00000200) bytes failed verification due to a range checksum mismatch.  The
read operation will fail with error -501 (0xfffffe0b).  If this condition
persists then please restore the logfile from a previous backup.

NTDS ISAM, Event 465, NTDS (464) NTDSA: Corruption was detected during soft
recovery in logfile C:\WINDOWS\NTDS\edb.log. The failing checksum record is
located at position END. Data not matching the log-file fill pattern first
appeared in sector 8437 (0x000020F5). This logfile has been damaged and is
unusable.

I did not have to resort to restoring anything from my old backup, but only time will tell if the system is now stable. By the way, Microsoft also recommended excluding C:\Windows\NTDS folder from any AV scanning.
0
 
LVL 6

Assisted Solution

by:bdesmond
bdesmond earned 500 total points
ID: 24123628
In addition to the antivirus exclusions you need to test the I/O subsystem on this box. It has problems. Update the drivers for the controller as well while you're at it. Firmware, etc.


Thanks,
Brian Desmond
Active Directory MVP
0
 
LVL 19

Author Comment

by:feptias
ID: 24125758
Hi Brian. Your contribution is much appreciated, but can you point me in the right direction as to how I set about "testing the I/O subsystem" please?

For info: The server has a pair of mirrored Western Digital SATA hard disks using the onboard Intel 82801FR RAID controller on an ASUS P5GD1 motherboard. RAID management software is Intel Matrix and it reports the status of both disks as normal. It has 2GB of memory.

I suspect that one of the contributory factors to the problems I see on this server (this is not the first problem it has had) is the fact that I shut it down every evening and restart it again the next morning. It seems to me that Windows Server is much happier when left running 24x7. The fact that it is a DC and has Exchange 2003 installed on it may also not help, but it does not get heavily used for anything.
0
 
LVL 6

Expert Comment

by:bdesmond
ID: 24126523
Gracefully shutting down a server should not cause physical corruption of a file. If you're just pulling the plug then yes this probably will happen. The box should be fine being shut down everyday although for an email server that seems kind of odd.

Typically the manufacturer provides hardware diagnostics tools.

Thanks,
Brian Desmond
Active Directory MVP
0
 
LVL 19

Author Comment

by:feptias
ID: 24128460
Brian, the server is always shut down gracefully.

That installation of Exchange is not my main email server - I use it only as a test machine and also as a local store for a couple of email accounts that get downloaded from POP3 mail boxes on the Internet. It was useful to store the downloaded mails on Exchange because then they were accessible from any PC on my LAN (via Outlook). The more usual POP3 download - direct to the workstation - means you can only look at old emails if you are sat in front of the same workstation that downloaded them.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video discusses moving either the default database or any database to a new volume.
Suggested Courses
Course of the Month8 days, 14 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question