Primary DC Directory Service Corrupt.

nmmcfk
nmmcfk used Ask the Experts™
on
We have primary and backup domain controllers. The PDC is server 2003 and the BDC is server 2008. Due to some power issues, the PDC is now corrupt. I get this error on boot up.

"lsass.exe - System Error
Security Accounts Manager initialization failed because of the following error: Directory Service cannot start. Error Status: 0xc00002e1. Please click OK to shutdown this system and reboot Directory Services Restore Mode, check the event log for more detailed information."

The PDC has Backup Exec installed on it and was doing a system state backups regularly. When i boot into Directory Services Restore Mode i cannot run Backup Exec. Services will not start.

Everything is currently running on our BDC.

Has anyone encountered this and found a way go get AD restored or a way to get backup exec working in Directory Services Restore Mode?

Thanks in advance for you time.

I do have a Server 2008 server available that we were planning on replacing the PDC with . This if fairly new to me but from what i understand, The PDC needs to be online to Seize domain naming master, infrastructure master, PDC, RID master, schema master.

Any advise will be greatly appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
If your second DC is servicing clients fine, I would seize the roles from the downed server if any is needed. Join your W2K8 server to your environment and prepare your schema with ADPREP and then dcpromo.

Author

Commented:
The downed server will halt on boot at "Windows Is Starting Up" and display the error message i mentioned. Can this be done at that point or do i need to get it to completely boot?
Depends on you. Do you want to troubleshoot the DC issue or leave the server offline?
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

Author

Commented:
I don't mind leaving it offline since we were planning on replacing it very soon. This is the first time i'm involved in replacing or creating a DC so i'm sorry if i'm asking dumb questions.   Is it possible to seize the rolls while the PDC is offline? Is there any downfall doing it that way?
Yes, you can seize these roles using ntdsutil.

Run this command on the running DC.

netdom query fsmo

Do you see any role holders pertaining to the downed server?

Only caveat is that you NEVER bring the corrupted server back online.

Author

Commented:
netballi,

I already tried this without any luck.

Author

Commented:
motnahp00,

I ran netdom query fsmo and all rolls point to the downed server. I will do a little research on how to use ntdsutil to seize these rolls.
I'll save you some time on the research.

ntdsutil
roles
connection
connect to server <seizing_dc_name>
quit
seize infrastructure master
seize naming master
seize PDC
seize RID master
seize schema master
quit
quit

Verify your results with:

netdom query fsmo

Author

Commented:
motnahp00,

Will this effect users in any way? Since this is my backup DC if the seize errors out, will it still run properly?

Thanks for your help.
You need to ensure that your clients have their DNS settings pointing to the 2nd DC so it can service authentication requests.

I would stand up that W2K8 server as quickly as possible so you have some fault tolerance in the event the 2nd DC drops.

Other than that, this process should be transparent to the users.
Some more notes regarding ADPREP:

* updates AD schema to accept W2K8
* adprep /forestprep (EA, SA, DA - performed on Schema Master)
* adprep /domainprep (DA - performed on IM)
* adprep /gpprep
* adprep /rodcprep (EA, SA, DA - performed on Schema Master)

Let me know if you have any more questions.

Author

Commented:
Couple Questions

1) Regarding the ADPREP notes - does this need to be done on the existing BDC which is already W2K8 or the new DC i will setup?

2) To clarify a question i asked earlier. It IS possible to seize fsmo on the BDC while the downed PDC is completely offline?

3)On another note, could i setup my new DC and configure replication then seize fsmo with the newly configured DC to make it the PDC? I would like to keep the existing BDC as the backup if possible.

Thanks for your time
1. This needs to be done on the schema master. You can find this role holder using the netdom query fsmo command.

2. You need to seize the roles from the DC while it is down. Do not ever bring this server back online after this process.

3. You will have problems promoting your member server while the role holder is down. Seize the roles and promote the other server.

Author

Commented:
The Schema Master roll holder is the downed server. Does this cause some complications?
You need to seize this role to your active DC.

Commented:
You need to seize all the FSMO roles to the 2k8 DC and decommission the 2003 DC with meta data cleanup.

http://support.microsoft.com/kb/255504

Author

Commented:
motnahp00,

From out discussion this is what i need to do. Please correct me if i am wrong.

Seize FSMO rolls to my BDC.
(since my BDC is currently running i'm assuming that is all i have to do)

Prepare new DC with:
ADPREP:
* updates AD schema to accept W2K8
* adprep /forestprep (EA, SA, DA - performed on Schema Master)
* adprep /domainprep (DA - performed on IM)
* adprep /gpprep
* adprep /rodcprep (EA, SA, DA - performed on Schema Master)
then dcpromo

Once this is done configure ntds replication.....


Is there any downfall to using the same IP as my downed server on my new W2K8 DC?
You may see some inconsistencies with your A records. I would use another IP address just to play it safe.

Author

Commented:
motnahp00,

Ok, i will use another IP.

Do the steps i listed above look correct?  

The one thing i was a little confused about was the ADPREP. At one point during our conversation it seemed like it needed to be run on the BDC. Since it is already running i would think it will only need to be run on the new DC.

Again, Thanks for your assistance.
Yes, the commands look correct. Just make you run them on the new role holder.

* adprep /forestprep
* adprep /domainprep
* adprep /gpprep
* adprep /rodcprep

Author

Commented:
Ok, so this needs to be run on the BDC. Does this need to be done before or after the seize? And will this have any affect on users currently logging onto the BDC. I know you said this should be transparent but i just want to be sure.
Ran after the seize. These actions are transparent to the users.

Author

Commented:
I'm assuming i will run the same ADPREP commands on the new DC?
On the box that holds the roles now.

Author

Commented:
motnahp00,

Thanks again for the help last week. I have Seized FSMO roles. When i run ADPREP /forestprep, it tells me that  "Forest-wide information has already been updated and ADPREP did not attempt to rerun this operation.

When running dcpromo on my new server, i get an error that i need to run ADPREP \forestprep.

I also get messages that ADPREP \domainprep and \gpprep have already been updated.

Author

Commented:
Does it matter that the now PDC is 32-bit and the new server is 64-bit OS?
I have seen posts regarding this topic. I personally would try to keep the architecture versions the same across your DCs.

Author

Commented:
I have everything up and running. Just one more question. If i wanted to make my new server the PDC, would i simply seize the FSMO role(s)?
Do not seize the role. Use transfer instead.

Author

Commented:
Ok, That is what i wanted to ask. Thanks again for all your help.
No problem. You're welcome.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial