[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 553
  • Last Modified:

Restore Active Directory, Password not Correct

I am doing a clean install of Windows Server 2003 and trying to restore Active Directory (via Mozy Pro, doing VSS backup services)

I boot into DSRM so I can restore A.D. authoritatively (single domain controller) and run the restoration and it says it is successful. I read a thing online that said:
[b]DO NOT REBOOT WHEN YOU ARE TOLD TO! [/b]
System will notify you that you must reboot after a system state restore, do not do this yet as the Active Directory is not ready for use so after a restart it will be just the same as before! We first need to recover the database so that it is ready for use again:

1. Click Start, click Run, type ntdsutil in the Open box, and then press ENTER.
2. At the Ntdsutil command prompt, type files, and then press ENTER.
3. At the file maintenance command prompt, type recover, and then press ENTER.
4. Type quit, and then press ENTER.
5. Restart the computer.

So I do that and it also says it is successful. However, upon rebooting into normal mode I am greeted with an error message that says:
LSASS.EXE - System Error, security accounts manager initialization failed because of the following error: Directory Services cannot start. Error status 0xc00002e1.

Please click OK to shutdown this system and reboot into directory services restore mode, check the event log for more detailed information.

I can tell you the password for the domain user "Administrator" is the same now as it was when I performed the backup from the original system. Also, the DSRM password is the same as that password. So if all the passwords are the same, what is the cause of this error message and how can I resolve it?
0
fecklessness
Asked:
fecklessness
  • 10
  • 9
3 Solutions
 
Netman66Commented:
Was the DSRM password the same on the original box too?

What about the registry?  If you did a full system state backup, then this needs to be restored too.

0
 
fecklessnessAuthor Commented:
All I care to restore is the Active Directory and user profiles/permissions and all of that stuff. Do I still have to restore the registry? I did not restore all the programs that were previously installed, does this affect whether I should restore the registry or not? Thanks
0
 
fecklessnessAuthor Commented:
Netman66 - these are the instructions I followed. I could've checked off the box for registry too to restore that, but the instructions do not imply that is a step I should take. I'd love to learn more.

Mozy Instructions How to Restore
0
 
Netman66Commented:
LSASS is the local security store.  As such, the registry is a necessary evil.

Try restoring it with the registry checked and everything else the same as you were doing.

Should I assume you just want to return your AD to a new server?  Was there only one DC?



0
 
fecklessnessAuthor Commented:
Will try. Yes to both.
0
 
Netman66Commented:
Hmmm...ok then, let me know how you make out.

Are you doing this now?  It's almost 1 AM here, but if it's reasonably quick I can wait.
0
 
fecklessnessAuthor Commented:
Yup, just making a backup of my full partions, done in 45 seconds, at which point i'll reboot and attempt, should take 10-15 minutes. Thanks so much.
0
 
fecklessnessAuthor Commented:
Just thinking while it's restoring, won't restoring the registry call to programs on startup that are not installed and lead to errors? or is that not how it works in this case.
0
 
Netman66Commented:
Not necessarily.

I don't know the whole story here, so help me out.  Hold off on the registry idea right now, until we check something out.

Looking at the Mozy info, you needed to enable VSS backup sets first, then make sure you have SYSVOL and AD backed up.

On the client for the restore, you should only need to select AD and SYSVOL then check the little box for Authoritative Restore - I imagine the logic is built into their client.  You should NOT need to use NTDSUtil to mark the DIT authoritative unless you had more than one DC (ever).

If that still fails, then you might have permission issues on some folders or a corrupt DIT.  Please follow this article to figure out if it's either.  http://support.microsoft.com/kb/258062

0
 
fecklessnessAuthor Commented:
Okay so I avoided that error message. New one, the good ol' " at least one service failed to start" but I could click okay. also it appears all my drivers have been removed due to reg change. resolution is different, mouse/keyboard had to reinstall. and my activation has to be redone. all surmountable... have yet to confirm the AD is fully restored, but i have some shit to clean up now.......

how to check which services failed to start? probably just not-installed programs or drivers i'm betting?
0
 
Netman66Commented:
Yes to last post.

Services are here:

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services

You'll need to hit the logs to see what it's nagging about.

0
 
Netman66Commented:
Sorry about the settings and drivers....should have mentioned that.

I think you are a good way there now, just to cleanup the stuff from the registry.  

There are better ways to restore a single DC if you just wanted to change hardware or cleanup the original server.  Temporarily add another DC and make it a GC with DNS.  You can backup and restore a DHCP database, and the AD is effectively "copied" to the temporary DC (which could be a simple workstation during the "swing" state).

I'm not a fan of third party system state and sysvol restores.  They almost never work properly.

0
 
fecklessnessAuthor Commented:
Great man, I think this worked excellent. You're a great guy! Where are you that it's 1:30am-ish now? I'm EST, 12:30am right now
0
 
Netman66Commented:
I'm in Atlantic Canada - New Brunswick.
0
 
Netman66Commented:
Glad to assist.  Hopefully, things aren't too ugly to clean up.

I hear my pillow calling!  LOL...

Cheers,
NM
0
 
fecklessnessAuthor Commented:
Getting a weird message trying to install downloaded EXE program setups.... like mozy, teamviewer, etc. they all say
Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

So i can't do much! Any idea what needs to be done there?
0
 
fecklessnessAuthor Commented:
To clarify, I am logged on as Domain Administrator - it created a new profile folder "Administrator.000" now that AD is restored) so I have to reinstall Chrome, Mozy, Teamviewer...
0
 
fecklessnessAuthor Commented:
Nevermind, I found out I should: On the Windows 2003 server, go to add/remove windows components, then uninstall the Internet Explorer Enhanced Security component.

But now in add/remove programs there's a bunch of phantom programs listed. I'll have to sort which programs are/are not installed and maybe CCLEANER's reg cleaner can get rid of some of the unused keys. Again, you are a huge help. Thanks so much for all you did.
0
 
Netman66Commented:
You'll find these entries in the registry here:

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall

Each GUID represents an entry in Add/Remove.  You'll need to open each key to see what software it belongs to.  Safe to remove those that you know are not installed.

0
  • 10
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now