Restore Active Directory, Password not Correct
I am doing a clean install of Windows Server 2003 and trying to restore Active Directory (via Mozy Pro, doing VSS backup services)
I boot into DSRM so I can restore A.D. authoritatively (single domain controller) and run the restoration and it says it is successful. I read a thing online that said:
So I do that and it also says it is successful. However, upon rebooting into normal mode I am greeted with an error message that says:
I can tell you the password for the domain user "Administrator" is the same now as it was when I performed the backup from the original system. Also, the DSRM password is the same as that password. So if all the passwords are the same, what is the cause of this error message and how can I resolve it?
I boot into DSRM so I can restore A.D. authoritatively (single domain controller) and run the restoration and it says it is successful. I read a thing online that said:
[b]DO NOT REBOOT WHEN YOU ARE TOLD TO! [/b]
System will notify you that you must reboot after a system state restore, do not do this yet as the Active Directory is not ready for use so after a restart it will be just the same as before! We first need to recover the database so that it is ready for use again:
1. Click Start, click Run, type ntdsutil in the Open box, and then press ENTER.
2. At the Ntdsutil command prompt, type files, and then press ENTER.
3. At the file maintenance command prompt, type recover, and then press ENTER.
4. Type quit, and then press ENTER.
5. Restart the computer.
So I do that and it also says it is successful. However, upon rebooting into normal mode I am greeted with an error message that says:
LSASS.EXE - System Error, security accounts manager initialization failed because of the following error: Directory Services cannot start. Error status 0xc00002e1.
Please click OK to shutdown this system and reboot into directory services restore mode, check the event log for more detailed information.
I can tell you the password for the domain user "Administrator" is the same now as it was when I performed the backup from the original system. Also, the DSRM password is the same as that password. So if all the passwords are the same, what is the cause of this error message and how can I resolve it?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Netman66 - these are the instructions I followed. I could've checked off the box for registry too to restore that, but the instructions do not imply that is a step I should take. I'd love to learn more.
Mozy Instructions How to Restore
Mozy Instructions How to Restore
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Will try. Yes to both.
Hmmm...ok then, let me know how you make out.
Are you doing this now? It's almost 1 AM here, but if it's reasonably quick I can wait.
Are you doing this now? It's almost 1 AM here, but if it's reasonably quick I can wait.
ASKER
Yup, just making a backup of my full partions, done in 45 seconds, at which point i'll reboot and attempt, should take 10-15 minutes. Thanks so much.
ASKER
Just thinking while it's restoring, won't restoring the registry call to programs on startup that are not installed and lead to errors? or is that not how it works in this case.
Not necessarily.
I don't know the whole story here, so help me out. Hold off on the registry idea right now, until we check something out.
Looking at the Mozy info, you needed to enable VSS backup sets first, then make sure you have SYSVOL and AD backed up.
On the client for the restore, you should only need to select AD and SYSVOL then check the little box for Authoritative Restore - I imagine the logic is built into their client. You should NOT need to use NTDSUtil to mark the DIT authoritative unless you had more than one DC (ever).
If that still fails, then you might have permission issues on some folders or a corrupt DIT. Please follow this article to figure out if it's either. http://support.microsoft.com/kb/258062
I don't know the whole story here, so help me out. Hold off on the registry idea right now, until we check something out.
Looking at the Mozy info, you needed to enable VSS backup sets first, then make sure you have SYSVOL and AD backed up.
On the client for the restore, you should only need to select AD and SYSVOL then check the little box for Authoritative Restore - I imagine the logic is built into their client. You should NOT need to use NTDSUtil to mark the DIT authoritative unless you had more than one DC (ever).
If that still fails, then you might have permission issues on some folders or a corrupt DIT. Please follow this article to figure out if it's either. http://support.microsoft.com/kb/258062
ASKER
Okay so I avoided that error message. New one, the good ol' " at least one service failed to start" but I could click okay. also it appears all my drivers have been removed due to reg change. resolution is different, mouse/keyboard had to reinstall. and my activation has to be redone. all surmountable... have yet to confirm the AD is fully restored, but i have some shit to clean up now.......
how to check which services failed to start? probably just not-installed programs or drivers i'm betting?
how to check which services failed to start? probably just not-installed programs or drivers i'm betting?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sorry about the settings and drivers....should have mentioned that.
I think you are a good way there now, just to cleanup the stuff from the registry.
There are better ways to restore a single DC if you just wanted to change hardware or cleanup the original server. Temporarily add another DC and make it a GC with DNS. You can backup and restore a DHCP database, and the AD is effectively "copied" to the temporary DC (which could be a simple workstation during the "swing" state).
I'm not a fan of third party system state and sysvol restores. They almost never work properly.
I think you are a good way there now, just to cleanup the stuff from the registry.
There are better ways to restore a single DC if you just wanted to change hardware or cleanup the original server. Temporarily add another DC and make it a GC with DNS. You can backup and restore a DHCP database, and the AD is effectively "copied" to the temporary DC (which could be a simple workstation during the "swing" state).
I'm not a fan of third party system state and sysvol restores. They almost never work properly.
ASKER
Great man, I think this worked excellent. You're a great guy! Where are you that it's 1:30am-ish now? I'm EST, 12:30am right now
I'm in Atlantic Canada - New Brunswick.
Glad to assist. Hopefully, things aren't too ugly to clean up.
I hear my pillow calling! LOL...
Cheers,
NM
I hear my pillow calling! LOL...
Cheers,
NM
ASKER
Getting a weird message trying to install downloaded EXE program setups.... like mozy, teamviewer, etc. they all say
So i can't do much! Any idea what needs to be done there?
Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.
So i can't do much! Any idea what needs to be done there?
ASKER
To clarify, I am logged on as Domain Administrator - it created a new profile folder "Administrator.000" now that AD is restored) so I have to reinstall Chrome, Mozy, Teamviewer...
ASKER
Nevermind, I found out I should: On the Windows 2003 server, go to add/remove windows components, then uninstall the Internet Explorer Enhanced Security component.
But now in add/remove programs there's a bunch of phantom programs listed. I'll have to sort which programs are/are not installed and maybe CCLEANER's reg cleaner can get rid of some of the unused keys. Again, you are a huge help. Thanks so much for all you did.
But now in add/remove programs there's a bunch of phantom programs listed. I'll have to sort which programs are/are not installed and maybe CCLEANER's reg cleaner can get rid of some of the unused keys. Again, you are a huge help. Thanks so much for all you did.
You'll find these entries in the registry here:
HKLM\Software\Microsoft\Wi
Each GUID represents an entry in Add/Remove. You'll need to open each key to see what software it belongs to. Safe to remove those that you know are not installed.
HKLM\Software\Microsoft\Wi
Each GUID represents an entry in Add/Remove. You'll need to open each key to see what software it belongs to. Safe to remove those that you know are not installed.
ASKER