Domain controller won't boot!!!

brasslan
brasslan used Ask the Experts™
on
Hello all.  My network has two domain controllers.  Today the PDC boots up with the following... "Security Accounts Manager initialization failed because of the following error:  Directory Service cannot start."

When booting in Active Directory restore mode (which is the only way the server will boot) I run the following at the dos prompt...
ntdsutil files integrity
ntdsutil "sem d a" "go f"

Both report problems, and neither one is able to repair.

I have no system state backup (or any other backup) from this server.  But I do have the other domain controller.  How do I get a copy of the AD database from that DC put onto my PDC?  Or is their a better fix?

Thanks in advance!
-brasslan
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
MAKE SURE you know which one of the two servers hold the FSMO roles before you do anything. If this is the FSMO holder you'll need to seize the roles:

http://support.microsoft.com/kb/255504

If this server is not the FSMO holder & has a good backup of the data, I'd just reload it, restore the data, & let it rebuild AD off the other server on the initial DCPROMO
Most Valuable Expert 2018
Distinguished Expert 2018
Commented:
If you don't have a backup, and the database is corrupt, your only chance is to reinstall AD on this machine.
You can first try to demote the machine forcefully, as described here:
Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server
http://support.microsoft.com/kb/332199

If this does not work, you'll have to reinstall from scratch.
Either way, you not only have to seize the FSMO roles to the surviving DC, but you have to clean out AD from the old machine *before* you repromote the machine:
How to remove data in Active Directory after an unsuccessful domain controller demotion
http://support.microsoft.com/kb/216498
Awarded 2009
Top Expert 2010
Commented:
You could do dcpromo /forceremoval on the failed DC use one of the other DC's to seize the FSMO roles then do a cleanup and the repromote your failed DC.

Guide to seizing FSMO roles: http://support.microsoft.com/kb/255504

Guide to AD cleanup: http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Then run dcpromo again to repromote your failed DC back and it will then replicate with the other.
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Author

Commented:
The dead server holds all FSMO roles.

What do I do after seizing the roles?  Are you trying to tell me that after seizing all roles on the other DC, then I should DCPROMO to demote and repromote the dead server?

I'm really hoping that I can just tell the PCD to get a copy of the missing AD information from the other DC.  Is that possible?
Awarded 2009
Top Expert 2010

Commented:
Once you seize the roles the DC you used to seize them will hold the roles.
Thus really is the easiest option.

It's not as painful as it first looks just follow the steps clearly.

Author

Commented:
Wow, everyone posted at once :-).

Ok, I think I have enough information now to get started...

Thanks!
Awarded 2009
Top Expert 2010

Commented:
Just make sure you follow the steps step by step, one missed step could make all the difference.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial