Solved

cant create objects

Posted on 2011-03-19
11
1,265 Views
Last Modified: 2012-05-11
Hi Guys,

a bit of the back story.  i have a server running SBS2003. towards the end of last year, the hard drive started acting up, so i took a ghost image incase it failed (this was done in janurary). fast forward to last monday, and the hard drive finally died.

i managed to load the ghost image onto a replacement drive, and the dead one got sent of to a recovery company because there were a few files that weren't backed up.  i installed the disk and we were back running (partially)

the data recovery company managed to take a image of the dead disk, and said that most of the data was fine, and that we were lucky.  the new image of the dead disk was put onto a new hard drive and was installed in the server last night.  

as far as i can tell everything is ok, except for one kind of crucial thing....in Active Directory Users and Computers, i can no longer create objects. i have only tried creating computers accounts and user accounts, but both fail and i receieve the following error message:

"Windows cannot create the object "name" because: The directory service encountered an unknown failure"

does anyone know what i can try to get this system back operating properly?

Kind regards
Jack
0
Comment
Question by:jack-lindsay
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
11 Comments
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 35171394
I assume you are receiving those error messages within Active Directory Users and Computers.  I also assume you only have this one SBS servers running as a domain controller?  No replication to other domain controllers?

Have you looked at the event logs on that SBS/DC?  I assume you had to have looked thru the system log and probably application log to resolve probable issues with the recovered image, but what about the Directory Services, Replication, and other Active Directory related event logs?
0
 

Author Comment

by:jack-lindsay
ID: 35171434
hi yes, i recieve that error message when i click the finish button when attempting to create a new user or computer withing Active Directory Users & Computers.  when i try to delete a computer, i receive the message "Windows cannot delete object Mobile-1 becuase: An internal error occured".
yes there is only this one SBS server, so no replication.

the only Error logs in System are to do with Adobe PDF
the only Error logs in Application are to do with an Email account
i do have a few errors in Directory Services.  with the following being repeated:

NTDS (408) NTDSA: The database page read from the file "C:\WINDOWS\NTDS\ntds.dit" at offset 7274496 (0x00000000006f0000) for 8192 (0x00002000) bytes failed verification because it contains no page data.  The read operation will fail with error -1019 (0xfffffc05).  If this condition persists then please restore the database from a previous backup. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.

i do have a few errors in DNS Server.  with the following being repeated:

The DNS server was unable to complete directory service enumeration of zone MyDomainName.local.  This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.

and no other errors in any other logs.

does this help in any way?
0
 
LVL 3

Expert Comment

by:ServerGuyScott
ID: 35171481
Go to a command line and run dcdiag /v and examine the results this swill tell you if anything specific to AD is broken. Look for anything that shows "failed"

It sounds to me that there is some corruption in your AD database.

You may want to do an offline defrag to ad as well:
http://support.microsoft.com/kb/232122
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:jack-lindsay
ID: 35171581
ok, i've just done a dcdiag, and here are what i saw that have popped out at me:

Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
            IsmServ Service is stopped on [SIMON]
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... SIMON failed test Services

Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 03/19/2011   12:52:10
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 03/19/2011   12:52:11
            (Event String could not be retrieved)
         ......................... SIMON failed test systemlog

Looks like is passed everything eles.  im going to do that offline defrag aswell
0
 
LVL 3

Expert Comment

by:ServerGuyScott
ID: 35171663
OK, the item in the services section can safely be ignored. The ISMServ does not run normally in SBS.

The item that is erroring on the system log check is not a huge deal either.. EventID: 0x00000457 is Event ID 1111. You can disable the client printer mapping when you start the RDP client (under Options-Local Resources); this should prevent these messages from appearing.

So that's good that DCDiag looks pretty healthy.

Let me know how the defrag goes and we'll go from there.

I still suspect corruption in the AD database.

I would also recommend using ntdsutil to try to repair the AD DB.
Details can be found here: http://home.hccnet.nl/beitler/tips_tricks/windows2000/repairing_ad_with_ntdsutil__if_y.htm

If that fails you, you have the alternate option to use Esentutl::
http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/ActiveDirectory/UseEsentutlwhenNtdsutiltoolfailstorepairtheActiveDirectorydatabase.html
0
 

Assisted Solution

by:jack-lindsay
jack-lindsay earned 0 total points
ID: 35176725
Ok I've been reading about this now and wonder if I'm missing an obvious option.

It sprung to mind that the ghost image of this exact machine taken in January appears to be free from the AD error now apparent on the recovered (up to date) image which is now in place. (This was the working image in place up to 14th March when the disk failed).

Rather than try to repair the AD in place now, could I not just take a back up of the system state from the January Ghost image and restore it to the "corrupt" March version.

The only physical change would be the physical disks that the 2 images are on. No other hardware has been introduced or changed between times. And AD is pretty much as was. (only a fixed number of users, less than half a dozen and clients total 4 machines)

Is this an option / has anyone carried out something similar or could I suffer some other problems making truing to fix the current corrupt version a better alternative?
0
 
LVL 3

Accepted Solution

by:
ServerGuyScott earned 250 total points
ID: 35180134
Didn't realize you had two backups, I thought you only had your backup image from the recovery company.

Yes, I would try what you suggested. The worst thing is after the restore some passwords may be wrong for users.

Since you only have one DC restoring to an older time like that shouldn't be a huge issue.

Worse case, you try it and have issues and you have to go back to where you are now.  If you had multiple DC's I'd be more worried about it. You'd want to do an authoritative restore.
0
 

Author Comment

by:jack-lindsay
ID: 35181409
Excellent news.
Will try this later this evening an will report back.
0
 

Author Comment

by:jack-lindsay
ID: 35183072
ServerGuyScott,

Just about to go to site and try this.
Can you advise if there is anything settings/options-wise I should make sure about when taking the backup from Rhe January backup. Or likewise when restoring it to the current (corrupt) system.
Or should I just carry out a default process at both ends letting MS do the work?
0
 
LVL 3

Expert Comment

by:ServerGuyScott
ID: 35185811
Happy to hear things ended up working out!
0
 

Author Closing Comment

by:jack-lindsay
ID: 35221349
For those interested, my re-evaluation of the scenario brought about the solution, backup up by ServerGuyScott's post.

1. Used NT Backup to take a copy of the System state from the previous ghost image of the system taken in January.

2. Swapped the disk back to the "recovered" but (AD corrupt) version of the system

3. Used NT Backup to restore the system state per the January image.

4. Re-set the client computers on the domain using the AD users and computers / SBS computers / computer name and then selecting reset account from the context menu.

5. Pulled each client off the domain (back to a workgroup) then rejoined each to the domain again in order to overcome the server / client "belated handshake"

Harmony is restored.!
Clever stuff that system state!

Thank you everyone for your consideration
0

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Master DC completely died 15 75
Pop-up allow list 6 41
Application of a group policy 11 70
wannacry ransomware virus 2008R2 6 85
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question