Solved

Server 2008 recreate Active Directory

Posted on 2013-11-23
9
2,728 Views
Last Modified: 2013-11-24
I picked up a new client who has a problem with Active Directory on Server 2008.  This is the only server, there is no System State backup, and there are about 5 users who would be easily recreated.  I do have a complete image of the drive.

I apologize for the lengthy post here, but I wanted to provide enough relevant data for troubleshooting.

The system will not boot in normal mode, giving an error in Directory Services.  I can reboot into Directory Services Repair Mode (but none of the other modes).

I have run a RAM test and a disk integrity test and both passed.  I ran sfc /scannow and it finished with a report that there were no errors found.

I tried repairing or recovering AD first with these two results:

---------------------------------------

C:\Windows\NTDS>ntdsutil
ntdsutil: files
Active Instance not set. To set an active instance use "Activate Instance ".
ntdsutil: activate instance ntds
Active instance set to "ntds".
ntdsutil: files
Could not initialize the Jet engine:  Jet Warning 1.
Failed to open DIT for AD DS/LDS instance NTDS. Error -2147418113
ntdsutil: quit

(I am assuming that the "Activate Instance" was required because I was in DSRM.)

C:\Windows\NTDS>

C:\Windows\NTDS>esentutl /p c:\windows\ntds\ntds.dit /!10240 /8 /o

Initiating REPAIR mode...
        Database: c:\windows\ntds\ntds.dit
  Temp. Database: TEMPREPAIR2728.EDB

Checking database integrity.

                     Scanning Status (% complete)

          0    10   20   30   40   50   60   70   80   90  100
          |----|----|----|----|----|----|----|----|----|----|
          ...................................................

Initiating DEFRAGMENTATION mode...
            Database: c:\windows\ntds\ntds.dit
      Temp. Database: TEMPREPAIR2728.EDB

                  Defragmentation Status (% complete)

          0    10   20   30   40   50   60   70   80   90  100
          |----|----|----|----|----|----|----|----|----|----|
          .........................



Operation terminated with error -1605 (JET_errKeyDuplicate, Illegal duplicate ke
y) after 7.250 seconds.

---------------------------------------

Clearly, there is something wrong with the database.  I did not find anything useful online about the "Illegal duplicate key" error.

Even if I were able to repair the AD database, I'd have concerns about its overall integrity.  That, along with the problems above, lead me to try to remove and reinstall the AD role, which seemed pretty straightforward.

I went to the server console, had it enumerate the roles, then told it to remove the AD role.  It did a lot of file crunching and rebooting (I had it set to reboot to DSRM) and eventually reported that it had tried three times and was unsuccessful.  When I look at the Event Viewer, I see a number of errors such as:

---------------------------------------
Log Name:      System
Source:        Microsoft-Windows-Servicing
Date:          11/23/2013 10:38:40 AM
Event ID:      4375
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      main.OurDomain.local
Description:
Windows Servicing failed to complete the process of setting package Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.0.6001.18000 () into Installed(Installed) state
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Servicing" Guid="{bd12f3b8-fc40-4a61-a307-b7a013a069c1}" EventSourceName="Microsoft-Windows-Servicing" />
    <EventID Qualifiers="49152">4375</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-11-23T18:38:40.000Z" />
    <EventRecordID>554331</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>main.OurDomain.local</Computer>
    <Security />
  </System>
  <UserData>
    <CbsPackageChangeState xmlns="http://manifests.microsoft.com/win/2004/08/windows/setup_provider">
      <PackageIdentifier>Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.0.6001.18000</PackageIdentifier>
      <ReleaseType>
      </ReleaseType>
      <PackageState>Installed</PackageState>
      <PackageAssembly>Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.0.6001.18000</PackageAssembly>
      <Operation>Installed</Operation>
      <OperationCompleted>True</OperationCompleted>
      <ErrorCode>0x8007043c</ErrorCode>
      <RebootOption>False</RebootOption>
      <MissingElements>
      </MissingElements>
    </CbsPackageChangeState>
  </UserData>
</Event>

---------------------------------------

I would really like to avoid starting over from scratch (new install, copy data, etc.), though I don't object to recreating all of the users and rights and such.

It seems that there are two approaches here:
1)  repair the "illegal duplicate key" (and any errors that follow that one), get the system to reboot in the normal mode, then try to uninstall and reinstall AD to ensure a reliable database
2)  identify why AD won't uninstall properly, fix it, uninstall and reinstall AD  (Are there other roles that I should remove first?)

Any suggestions about how to accomplish either of these or a better approach would be helpful.
0
Comment
Question by:CompProbSolv
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 39671795
first, no need to apologize.  too many people here ask vague questions so the more details, the better

second, your 2 approaches are not viable solutions.  they both involve uninstalling and reinstalling AD.  when you uninstall AD from the one and only domain controller, it will remove the domain and all user and computer objects

do you know if server went down from a power loss?  could have caused data corruption

with only 5 users and no good backup, probably just worth blowing away and starting over which is probably a lot less time compared to trying to repair this (which may or may not be possible)

since you already attempted AD role removal and failed, best to reinstall windows (backup and shares and user data first)
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39671812
I totally agree with seth,

My personnel experience is very bad with repairing AD database in my hard time
the tool (esentutl) provided by MS for repairing directory database doesn't seems to be extensive capabilities and powerful to repair AD database.
the only option left in that case to log priority A call with MS
MS does have \ use more better powerful tools (i called it as hidden tools) for there purposes and they will most probably resolve the problem

Its worth to build start from scratch OR
you can take MS Support..

Mahesh
0
 
LVL 20

Author Comment

by:CompProbSolv
ID: 39671814
"... are not viable"
I recognize that the domain and objects will be removed.  With so few users and devices, it would not be difficult to reconstruct.  It is certainly far less effort than a complete reinstall.

Nonetheless, you may be correct about the reinstall.  I am hoping for some other solution.  (Then again, I hope to win the lottery, too!)
0
 
LVL 9

Expert Comment

by:VirastaR
ID: 39671826
Hi,

Based on your description,

1)
C:\Windows\NTDS>ntdsutil
ntdsutil: files
Active Instance not set. To set an active instance use "Activate Instance ".
ntdsutil: activate instance ntds
Active instance set to "ntds".
ntdsutil: files
Could not initialize the Jet engine:  Jet Warning 1.
Failed to open DIT for AD DS/LDS instance NTDS. Error -2147418113
ntdsutil: quit

which means that ntds.dit is not even mounted for the repair operation.

2)
Operation terminated with error -1605 (JET_errKeyDuplicate, Illegal duplicate ke
y)
related with Exchange database,however what its means is that your DB went beyond repair or Toast :(

So, I would recommend you to move on from this point and build it from scratch.

However, open your server is up make a smart move

Take a IFM Backup - http://trycatch.be/blogs/roggenk/archive/2007/09/12/active-directory-domain-services-install-from-restored-backup-media-ifm.aspx

Hope that helps :)
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 20

Author Comment

by:CompProbSolv
ID: 39671857
I am afraid that I don't understand:
"However, open your server is up make a smart move"

Also, the IFM Backup doesn't seem relevant here.  That is, I don't have a working AD from which to take a backup.

Once this is all resolved, Windows Server Backup will be used to keep reliable backups of AD and everything else.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39671936
If you are not going to MS support,

Then there is no option left other than start from scratch...

Mahesh
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 39672063
As other suggested you need contact MS for the db repair, but as you have only five user its worth starting from scrath.

As this is win2008 you can forcefully demote dc by running dcpromo /forceremoval in directory service restore mode and you should be able to boot in normal once dc is demoted forcefully.

I will recommend once you are in normal mode take the backup of data and reload the os and then promote the server as dc.Also run chkdsk in read only to check for any drive error, update the server drivers and firmware too if not updated.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39672065
In addition I will also recommend to have atleast two dc in network for redundancy if there is no budget  issue or regularly backup the server .
0
 
LVL 20

Author Comment

by:CompProbSolv
ID: 39673011
@Sandeshubey:
Your suggestion for dcpromo /forceremoval was the critical key that I was missing.  I found that suggestion with other searches online before reading your post.  I have done that, restarted into standard mode, removed AD with the GUI, and reinstalled it.  All seems well now!

I understand the recommendation for two or more DCs, but that is pretty cost-prohibitive in such a small network.  I absolutely agree about the backup and will be implementing Windows Server Backup shortly.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now