Corrupted Active Directory database in SBS 2011 Server
I have a client using SBS 2011 server with about 12 users. After a power issue that caused the server to restart without a graceful shutdown. All of the active directory user accounts no longer exist and the domain integrated DNS zone for the local domain won't load.
When I try to open the "SBSUsers" OU in AD users and computers snap-in I get the following error:
"Data from SBSUsers is not available from the Domain Controller Servername.domain.local because:
An operations error occurred."
All of the other OU's open and I can access any other user accounts, groups and computers.
The DNS issue I assume is tied to the problem with AD. I get an error:
"The DNS server was unable to complete directory service enumeration of zone domain.local. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it"
I have run a chkdsk /f and the drive came back clean. I assume that I will need to try and do some type of repair on the AD database but I could use some help pointing me in the right direction to get started. Unfortunately, I don not have a valid system state backup so if the repair doesn't work I will have to start from scratch.
I would really appreciate some help at least trying a AD repair before I do anything else.
Thanks
When I try to open the "SBSUsers" OU in AD users and computers snap-in I get the following error:
"Data from SBSUsers is not available from the Domain Controller Servername.domain.local because:
An operations error occurred."
All of the other OU's open and I can access any other user accounts, groups and computers.
The DNS issue I assume is tied to the problem with AD. I get an error:
"The DNS server was unable to complete directory service enumeration of zone domain.local. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it"
I have run a chkdsk /f and the drive came back clean. I assume that I will need to try and do some type of repair on the AD database but I could use some help pointing me in the right direction to get started. Unfortunately, I don not have a valid system state backup so if the repair doesn't work I will have to start from scratch.
I would really appreciate some help at least trying a AD repair before I do anything else.
Thanks
ASKER
This is a new client and the only backups were some basic file backups (shared folders etc..). There were never any system state backups so I don't have anyway to do a restore of AD. I have to try a repair and if that doesn't work I will have to recreate the domain.
Do you have a BDC? Or is this a single DC in this environment? If you only have a single DC you will need to recover from a System State Backup. If you have a BDC you can transfer the FSMO roles to the BDC.
I would also run the following commands to see what else is going on...
Repadmin /replsum
Repadmin /showrepl
DCDiag /v
If a restore does not work you will have to rebuild your AD, which includes Groups/Users/etc. This also includes adding all of the computers/server back to the new domain. If you have Exchange this will also need to be re-installed/configured.
Thanks
Will.
I would also run the following commands to see what else is going on...
Repadmin /replsum
Repadmin /showrepl
DCDiag /v
If a restore does not work you will have to rebuild your AD, which includes Groups/Users/etc. This also includes adding all of the computers/server back to the new domain. If you have Exchange this will also need to be re-installed/configured.
Thanks
Will.
ASKER
Since it is SBS we were left with a single DC and as I said there was never any system state backups that we can find.
How old is the server?
Was the built-in SBS/Windows Server backup not used?
Philip
Was the built-in SBS/Windows Server backup not used?
Philip
If you do not have a System State backup of the AD server and you do not have an additional DC in your environment, you have no choice but to rebuild the entire domain.
ASKER
What does anyone think about using the NTDSUTIL or ESENTUTL utilities run in Directory Services Restore mode might help?
Please verify what errors specific to AD are on the server. There may be a way to get things going before cutting things loose.
Philip
Philip
Restoring AD using the Active Directory Restore mode still requires you to have a valid backup of Active Directory.
ASKER
First Error:
"NTDS (568) NTDSA: Database C:\Windows\ntds\ntds.dit: Index DRA_USN_index of table datatable is corrupted (0)."
Another error:
"Active Directory Domain Services was unable to establish a connection with the global catalog.
Additional Data
Error value:
4294966279 []
Internal ID:
20801d4
User Action:
Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem."
This server is the only DC and is the Global Catalog
This is the DNS error:
"The DNS server was unable to complete directory service enumeration of zone somedomain.local. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "000020EF: SvcErr: DSID-020801D4, problem 5012 (DIR_ERROR), data -1017"."
"NTDS (568) NTDSA: Database C:\Windows\ntds\ntds.dit: Index DRA_USN_index of table datatable is corrupted (0)."
Another error:
"Active Directory Domain Services was unable to establish a connection with the global catalog.
Additional Data
Error value:
4294966279 []
Internal ID:
20801d4
User Action:
Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem."
This server is the only DC and is the Global Catalog
This is the DNS error:
"The DNS server was unable to complete directory service enumeration of zone somedomain.local. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "000020EF: SvcErr: DSID-020801D4, problem 5012 (DIR_ERROR), data -1017"."
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I agree with Sandesh, however if I were you I'll start my troubleshooting as below.
1. Check NIC settings using DNS Best Practices
2. In IPv6 properties, set it to "obtain ip address automatically" and "obtain dns server address automatically".
3. Check all AD related services are running in automatic state(ADDS, DNS, Netlogon, KDC, Windows Time).
4. If everything is fine, then turn off AD DS service and take backup of SYSVOL and NTDS folders as you do not have any other DC in the domain.
5. Perform offline defragmentation of NTDS using Sandesh's comments.
6. Also check SBS is acting as authoritative Time Server for domain using Authoritative Time Server as it is throughing Global Catalog errors.
1. Check NIC settings using DNS Best Practices
2. In IPv6 properties, set it to "obtain ip address automatically" and "obtain dns server address automatically".
3. Check all AD related services are running in automatic state(ADDS, DNS, Netlogon, KDC, Windows Time).
4. If everything is fine, then turn off AD DS service and take backup of SYSVOL and NTDS folders as you do not have any other DC in the domain.
5. Perform offline defragmentation of NTDS using Sandesh's comments.
6. Also check SBS is acting as authoritative Time Server for domain using Authoritative Time Server as it is throughing Global Catalog errors.
ASKER
Worked perfectly.
Philip