Solved

cant create objects

Posted on 2011-03-19
11
1,179 Views
Last Modified: 2012-05-11
Hi Guys,

a bit of the back story.  i have a server running SBS2003. towards the end of last year, the hard drive started acting up, so i took a ghost image incase it failed (this was done in janurary). fast forward to last monday, and the hard drive finally died.

i managed to load the ghost image onto a replacement drive, and the dead one got sent of to a recovery company because there were a few files that weren't backed up.  i installed the disk and we were back running (partially)

the data recovery company managed to take a image of the dead disk, and said that most of the data was fine, and that we were lucky.  the new image of the dead disk was put onto a new hard drive and was installed in the server last night.  

as far as i can tell everything is ok, except for one kind of crucial thing....in Active Directory Users and Computers, i can no longer create objects. i have only tried creating computers accounts and user accounts, but both fail and i receieve the following error message:

"Windows cannot create the object "name" because: The directory service encountered an unknown failure"

does anyone know what i can try to get this system back operating properly?

Kind regards
Jack
0
Comment
Question by:jack-lindsay
  • 6
  • 4
11 Comments
 
LVL 29

Expert Comment

by:Rich Weissler
Comment Utility
I assume you are receiving those error messages within Active Directory Users and Computers.  I also assume you only have this one SBS servers running as a domain controller?  No replication to other domain controllers?

Have you looked at the event logs on that SBS/DC?  I assume you had to have looked thru the system log and probably application log to resolve probable issues with the recovered image, but what about the Directory Services, Replication, and other Active Directory related event logs?
0
 

Author Comment

by:jack-lindsay
Comment Utility
hi yes, i recieve that error message when i click the finish button when attempting to create a new user or computer withing Active Directory Users & Computers.  when i try to delete a computer, i receive the message "Windows cannot delete object Mobile-1 becuase: An internal error occured".
yes there is only this one SBS server, so no replication.

the only Error logs in System are to do with Adobe PDF
the only Error logs in Application are to do with an Email account
i do have a few errors in Directory Services.  with the following being repeated:

NTDS (408) NTDSA: The database page read from the file "C:\WINDOWS\NTDS\ntds.dit" at offset 7274496 (0x00000000006f0000) for 8192 (0x00002000) bytes failed verification because it contains no page data.  The read operation will fail with error -1019 (0xfffffc05).  If this condition persists then please restore the database from a previous backup. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.

i do have a few errors in DNS Server.  with the following being repeated:

The DNS server was unable to complete directory service enumeration of zone MyDomainName.local.  This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.

and no other errors in any other logs.

does this help in any way?
0
 
LVL 3

Expert Comment

by:ServerGuyScott
Comment Utility
Go to a command line and run dcdiag /v and examine the results this swill tell you if anything specific to AD is broken. Look for anything that shows "failed"

It sounds to me that there is some corruption in your AD database.

You may want to do an offline defrag to ad as well:
http://support.microsoft.com/kb/232122
0
 

Author Comment

by:jack-lindsay
Comment Utility
ok, i've just done a dcdiag, and here are what i saw that have popped out at me:

Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
            IsmServ Service is stopped on [SIMON]
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... SIMON failed test Services

Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 03/19/2011   12:52:10
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 03/19/2011   12:52:11
            (Event String could not be retrieved)
         ......................... SIMON failed test systemlog

Looks like is passed everything eles.  im going to do that offline defrag aswell
0
 
LVL 3

Expert Comment

by:ServerGuyScott
Comment Utility
OK, the item in the services section can safely be ignored. The ISMServ does not run normally in SBS.

The item that is erroring on the system log check is not a huge deal either.. EventID: 0x00000457 is Event ID 1111. You can disable the client printer mapping when you start the RDP client (under Options-Local Resources); this should prevent these messages from appearing.

So that's good that DCDiag looks pretty healthy.

Let me know how the defrag goes and we'll go from there.

I still suspect corruption in the AD database.

I would also recommend using ntdsutil to try to repair the AD DB.
Details can be found here: http://home.hccnet.nl/beitler/tips_tricks/windows2000/repairing_ad_with_ntdsutil__if_y.htm

If that fails you, you have the alternate option to use Esentutl::
http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/ActiveDirectory/UseEsentutlwhenNtdsutiltoolfailstorepairtheActiveDirectorydatabase.html
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Assisted Solution

by:jack-lindsay
jack-lindsay earned 0 total points
Comment Utility
Ok I've been reading about this now and wonder if I'm missing an obvious option.

It sprung to mind that the ghost image of this exact machine taken in January appears to be free from the AD error now apparent on the recovered (up to date) image which is now in place. (This was the working image in place up to 14th March when the disk failed).

Rather than try to repair the AD in place now, could I not just take a back up of the system state from the January Ghost image and restore it to the "corrupt" March version.

The only physical change would be the physical disks that the 2 images are on. No other hardware has been introduced or changed between times. And AD is pretty much as was. (only a fixed number of users, less than half a dozen and clients total 4 machines)

Is this an option / has anyone carried out something similar or could I suffer some other problems making truing to fix the current corrupt version a better alternative?
0
 
LVL 3

Accepted Solution

by:
ServerGuyScott earned 250 total points
Comment Utility
Didn't realize you had two backups, I thought you only had your backup image from the recovery company.

Yes, I would try what you suggested. The worst thing is after the restore some passwords may be wrong for users.

Since you only have one DC restoring to an older time like that shouldn't be a huge issue.

Worse case, you try it and have issues and you have to go back to where you are now.  If you had multiple DC's I'd be more worried about it. You'd want to do an authoritative restore.
0
 

Author Comment

by:jack-lindsay
Comment Utility
Excellent news.
Will try this later this evening an will report back.
0
 

Author Comment

by:jack-lindsay
Comment Utility
ServerGuyScott,

Just about to go to site and try this.
Can you advise if there is anything settings/options-wise I should make sure about when taking the backup from Rhe January backup. Or likewise when restoring it to the current (corrupt) system.
Or should I just carry out a default process at both ends letting MS do the work?
0
 
LVL 3

Expert Comment

by:ServerGuyScott
Comment Utility
Happy to hear things ended up working out!
0
 

Author Closing Comment

by:jack-lindsay
Comment Utility
For those interested, my re-evaluation of the scenario brought about the solution, backup up by ServerGuyScott's post.

1. Used NT Backup to take a copy of the System state from the previous ghost image of the system taken in January.

2. Swapped the disk back to the "recovered" but (AD corrupt) version of the system

3. Used NT Backup to restore the system state per the January image.

4. Re-set the client computers on the domain using the AD users and computers / SBS computers / computer name and then selecting reset account from the context menu.

5. Pulled each client off the domain (back to a workgroup) then rejoined each to the domain again in order to overcome the server / client "belated handshake"

Harmony is restored.!
Clever stuff that system state!

Thank you everyone for your consideration
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now