Link to home
Start Free TrialLog in
Avatar of nmmcfk
nmmcfkFlag for United States of America

asked on

Primary DC Directory Service Corrupt.

We have primary and backup domain controllers. The PDC is server 2003 and the BDC is server 2008. Due to some power issues, the PDC is now corrupt. I get this error on boot up.

"lsass.exe - System Error
Security Accounts Manager initialization failed because of the following error: Directory Service cannot start. Error Status: 0xc00002e1. Please click OK to shutdown this system and reboot Directory Services Restore Mode, check the event log for more detailed information."

The PDC has Backup Exec installed on it and was doing a system state backups regularly. When i boot into Directory Services Restore Mode i cannot run Backup Exec. Services will not start.

Everything is currently running on our BDC.

Has anyone encountered this and found a way go get AD restored or a way to get backup exec working in Directory Services Restore Mode?

Thanks in advance for you time.

I do have a Server 2008 server available that we were planning on replacing the PDC with . This if fairly new to me but from what i understand, The PDC needs to be online to Seize domain naming master, infrastructure master, PDC, RID master, schema master.

Any advise will be greatly appreciated.
ASKER CERTIFIED SOLUTION
Avatar of motnahp00
motnahp00
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of nmmcfk

ASKER

The downed server will halt on boot at "Windows Is Starting Up" and display the error message i mentioned. Can this be done at that point or do i need to get it to completely boot?
Depends on you. Do you want to troubleshoot the DC issue or leave the server offline?
Avatar of nmmcfk

ASKER

I don't mind leaving it offline since we were planning on replacing it very soon. This is the first time i'm involved in replacing or creating a DC so i'm sorry if i'm asking dumb questions.   Is it possible to seize the rolls while the PDC is offline? Is there any downfall doing it that way?
Yes, you can seize these roles using ntdsutil.

Run this command on the running DC.

netdom query fsmo

Do you see any role holders pertaining to the downed server?

Only caveat is that you NEVER bring the corrupted server back online.
Avatar of nmmcfk

ASKER

netballi,

I already tried this without any luck.
Avatar of nmmcfk

ASKER

motnahp00,

I ran netdom query fsmo and all rolls point to the downed server. I will do a little research on how to use ntdsutil to seize these rolls.
I'll save you some time on the research.

ntdsutil
roles
connection
connect to server <seizing_dc_name>
quit
seize infrastructure master
seize naming master
seize PDC
seize RID master
seize schema master
quit
quit

Verify your results with:

netdom query fsmo
Avatar of nmmcfk

ASKER

motnahp00,

Will this effect users in any way? Since this is my backup DC if the seize errors out, will it still run properly?

Thanks for your help.
You need to ensure that your clients have their DNS settings pointing to the 2nd DC so it can service authentication requests.

I would stand up that W2K8 server as quickly as possible so you have some fault tolerance in the event the 2nd DC drops.

Other than that, this process should be transparent to the users.
Some more notes regarding ADPREP:

* updates AD schema to accept W2K8
* adprep /forestprep (EA, SA, DA - performed on Schema Master)
* adprep /domainprep (DA - performed on IM)
* adprep /gpprep
* adprep /rodcprep (EA, SA, DA - performed on Schema Master)

Let me know if you have any more questions.
Avatar of nmmcfk

ASKER

Couple Questions

1) Regarding the ADPREP notes - does this need to be done on the existing BDC which is already W2K8 or the new DC i will setup?

2) To clarify a question i asked earlier. It IS possible to seize fsmo on the BDC while the downed PDC is completely offline?

3)On another note, could i setup my new DC and configure replication then seize fsmo with the newly configured DC to make it the PDC? I would like to keep the existing BDC as the backup if possible.

Thanks for your time
1. This needs to be done on the schema master. You can find this role holder using the netdom query fsmo command.

2. You need to seize the roles from the DC while it is down. Do not ever bring this server back online after this process.

3. You will have problems promoting your member server while the role holder is down. Seize the roles and promote the other server.
Avatar of nmmcfk

ASKER

The Schema Master roll holder is the downed server. Does this cause some complications?
You need to seize this role to your active DC.
You need to seize all the FSMO roles to the 2k8 DC and decommission the 2003 DC with meta data cleanup.

http://support.microsoft.com/kb/255504
Avatar of nmmcfk

ASKER

motnahp00,

From out discussion this is what i need to do. Please correct me if i am wrong.

Seize FSMO rolls to my BDC.
(since my BDC is currently running i'm assuming that is all i have to do)

Prepare new DC with:
ADPREP:
* updates AD schema to accept W2K8
* adprep /forestprep (EA, SA, DA - performed on Schema Master)
* adprep /domainprep (DA - performed on IM)
* adprep /gpprep
* adprep /rodcprep (EA, SA, DA - performed on Schema Master)
then dcpromo

Once this is done configure ntds replication.....


Is there any downfall to using the same IP as my downed server on my new W2K8 DC?
You may see some inconsistencies with your A records. I would use another IP address just to play it safe.
Avatar of nmmcfk

ASKER

motnahp00,

Ok, i will use another IP.

Do the steps i listed above look correct?  

The one thing i was a little confused about was the ADPREP. At one point during our conversation it seemed like it needed to be run on the BDC. Since it is already running i would think it will only need to be run on the new DC.

Again, Thanks for your assistance.
Yes, the commands look correct. Just make you run them on the new role holder.

* adprep /forestprep
* adprep /domainprep
* adprep /gpprep
* adprep /rodcprep
Avatar of nmmcfk

ASKER

Ok, so this needs to be run on the BDC. Does this need to be done before or after the seize? And will this have any affect on users currently logging onto the BDC. I know you said this should be transparent but i just want to be sure.
Ran after the seize. These actions are transparent to the users.
Avatar of nmmcfk

ASKER

I'm assuming i will run the same ADPREP commands on the new DC?
On the box that holds the roles now.
Avatar of nmmcfk

ASKER

motnahp00,

Thanks again for the help last week. I have Seized FSMO roles. When i run ADPREP /forestprep, it tells me that  "Forest-wide information has already been updated and ADPREP did not attempt to rerun this operation.

When running dcpromo on my new server, i get an error that i need to run ADPREP \forestprep.

I also get messages that ADPREP \domainprep and \gpprep have already been updated.
Avatar of nmmcfk

ASKER

Does it matter that the now PDC is 32-bit and the new server is 64-bit OS?
I have seen posts regarding this topic. I personally would try to keep the architecture versions the same across your DCs.
Avatar of nmmcfk

ASKER

I have everything up and running. Just one more question. If i wanted to make my new server the PDC, would i simply seize the FSMO role(s)?
Do not seize the role. Use transfer instead.
Avatar of nmmcfk

ASKER

Ok, That is what i wanted to ask. Thanks again for all your help.
No problem. You're welcome.