• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1412
  • Last Modified:

cant create objects

Hi Guys,

a bit of the back story.  i have a server running SBS2003. towards the end of last year, the hard drive started acting up, so i took a ghost image incase it failed (this was done in janurary). fast forward to last monday, and the hard drive finally died.

i managed to load the ghost image onto a replacement drive, and the dead one got sent of to a recovery company because there were a few files that weren't backed up.  i installed the disk and we were back running (partially)

the data recovery company managed to take a image of the dead disk, and said that most of the data was fine, and that we were lucky.  the new image of the dead disk was put onto a new hard drive and was installed in the server last night.  

as far as i can tell everything is ok, except for one kind of crucial thing....in Active Directory Users and Computers, i can no longer create objects. i have only tried creating computers accounts and user accounts, but both fail and i receieve the following error message:

"Windows cannot create the object "name" because: The directory service encountered an unknown failure"

does anyone know what i can try to get this system back operating properly?

Kind regards
  • 6
  • 4
2 Solutions
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
I assume you are receiving those error messages within Active Directory Users and Computers.  I also assume you only have this one SBS servers running as a domain controller?  No replication to other domain controllers?

Have you looked at the event logs on that SBS/DC?  I assume you had to have looked thru the system log and probably application log to resolve probable issues with the recovered image, but what about the Directory Services, Replication, and other Active Directory related event logs?
jack-lindsayAuthor Commented:
hi yes, i recieve that error message when i click the finish button when attempting to create a new user or computer withing Active Directory Users & Computers.  when i try to delete a computer, i receive the message "Windows cannot delete object Mobile-1 becuase: An internal error occured".
yes there is only this one SBS server, so no replication.

the only Error logs in System are to do with Adobe PDF
the only Error logs in Application are to do with an Email account
i do have a few errors in Directory Services.  with the following being repeated:

NTDS (408) NTDSA: The database page read from the file "C:\WINDOWS\NTDS\ntds.dit" at offset 7274496 (0x00000000006f0000) for 8192 (0x00002000) bytes failed verification because it contains no page data.  The read operation will fail with error -1019 (0xfffffc05).  If this condition persists then please restore the database from a previous backup. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.

i do have a few errors in DNS Server.  with the following being repeated:

The DNS server was unable to complete directory service enumeration of zone MyDomainName.local.  This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.

and no other errors in any other logs.

does this help in any way?
Go to a command line and run dcdiag /v and examine the results this swill tell you if anything specific to AD is broken. Look for anything that shows "failed"

It sounds to me that there is some corruption in your AD database.

You may want to do an offline defrag to ad as well:
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

jack-lindsayAuthor Commented:
ok, i've just done a dcdiag, and here are what i saw that have popped out at me:

Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
            IsmServ Service is stopped on [SIMON]
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... SIMON failed test Services

Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 03/19/2011   12:52:10
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 03/19/2011   12:52:11
            (Event String could not be retrieved)
         ......................... SIMON failed test systemlog

Looks like is passed everything eles.  im going to do that offline defrag aswell
OK, the item in the services section can safely be ignored. The ISMServ does not run normally in SBS.

The item that is erroring on the system log check is not a huge deal either.. EventID: 0x00000457 is Event ID 1111. You can disable the client printer mapping when you start the RDP client (under Options-Local Resources); this should prevent these messages from appearing.

So that's good that DCDiag looks pretty healthy.

Let me know how the defrag goes and we'll go from there.

I still suspect corruption in the AD database.

I would also recommend using ntdsutil to try to repair the AD DB.
Details can be found here: http://home.hccnet.nl/beitler/tips_tricks/windows2000/repairing_ad_with_ntdsutil__if_y.htm

If that fails you, you have the alternate option to use Esentutl::
jack-lindsayAuthor Commented:
Ok I've been reading about this now and wonder if I'm missing an obvious option.

It sprung to mind that the ghost image of this exact machine taken in January appears to be free from the AD error now apparent on the recovered (up to date) image which is now in place. (This was the working image in place up to 14th March when the disk failed).

Rather than try to repair the AD in place now, could I not just take a back up of the system state from the January Ghost image and restore it to the "corrupt" March version.

The only physical change would be the physical disks that the 2 images are on. No other hardware has been introduced or changed between times. And AD is pretty much as was. (only a fixed number of users, less than half a dozen and clients total 4 machines)

Is this an option / has anyone carried out something similar or could I suffer some other problems making truing to fix the current corrupt version a better alternative?
Didn't realize you had two backups, I thought you only had your backup image from the recovery company.

Yes, I would try what you suggested. The worst thing is after the restore some passwords may be wrong for users.

Since you only have one DC restoring to an older time like that shouldn't be a huge issue.

Worse case, you try it and have issues and you have to go back to where you are now.  If you had multiple DC's I'd be more worried about it. You'd want to do an authoritative restore.
jack-lindsayAuthor Commented:
Excellent news.
Will try this later this evening an will report back.
jack-lindsayAuthor Commented:

Just about to go to site and try this.
Can you advise if there is anything settings/options-wise I should make sure about when taking the backup from Rhe January backup. Or likewise when restoring it to the current (corrupt) system.
Or should I just carry out a default process at both ends letting MS do the work?
Happy to hear things ended up working out!
jack-lindsayAuthor Commented:
For those interested, my re-evaluation of the scenario brought about the solution, backup up by ServerGuyScott's post.

1. Used NT Backup to take a copy of the System state from the previous ghost image of the system taken in January.

2. Swapped the disk back to the "recovered" but (AD corrupt) version of the system

3. Used NT Backup to restore the system state per the January image.

4. Re-set the client computers on the domain using the AD users and computers / SBS computers / computer name and then selecting reset account from the context menu.

5. Pulled each client off the domain (back to a workgroup) then rejoined each to the domain again in order to overcome the server / client "belated handshake"

Harmony is restored.!
Clever stuff that system state!

Thank you everyone for your consideration
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now