Server 2008 recreate Active Directory

I picked up a new client who has a problem with Active Directory on Server 2008.  This is the only server, there is no System State backup, and there are about 5 users who would be easily recreated.  I do have a complete image of the drive.

I apologize for the lengthy post here, but I wanted to provide enough relevant data for troubleshooting.

The system will not boot in normal mode, giving an error in Directory Services.  I can reboot into Directory Services Repair Mode (but none of the other modes).

I have run a RAM test and a disk integrity test and both passed.  I ran sfc /scannow and it finished with a report that there were no errors found.

I tried repairing or recovering AD first with these two results:


ntdsutil: files
Active Instance not set. To set an active instance use "Activate Instance ".
ntdsutil: activate instance ntds
Active instance set to "ntds".
ntdsutil: files
Could not initialize the Jet engine:  Jet Warning 1.
Failed to open DIT for AD DS/LDS instance NTDS. Error -2147418113
ntdsutil: quit

(I am assuming that the "Activate Instance" was required because I was in DSRM.)


C:\Windows\NTDS>esentutl /p c:\windows\ntds\ntds.dit /!10240 /8 /o

Initiating REPAIR mode...
        Database: c:\windows\ntds\ntds.dit
  Temp. Database: TEMPREPAIR2728.EDB

Checking database integrity.

                     Scanning Status (% complete)

          0    10   20   30   40   50   60   70   80   90  100

Initiating DEFRAGMENTATION mode...
            Database: c:\windows\ntds\ntds.dit
      Temp. Database: TEMPREPAIR2728.EDB

                  Defragmentation Status (% complete)

          0    10   20   30   40   50   60   70   80   90  100

Operation terminated with error -1605 (JET_errKeyDuplicate, Illegal duplicate ke
y) after 7.250 seconds.


Clearly, there is something wrong with the database.  I did not find anything useful online about the "Illegal duplicate key" error.

Even if I were able to repair the AD database, I'd have concerns about its overall integrity.  That, along with the problems above, lead me to try to remove and reinstall the AD role, which seemed pretty straightforward.

I went to the server console, had it enumerate the roles, then told it to remove the AD role.  It did a lot of file crunching and rebooting (I had it set to reboot to DSRM) and eventually reported that it had tried three times and was unsuccessful.  When I look at the Event Viewer, I see a number of errors such as:

Log Name:      System
Source:        Microsoft-Windows-Servicing
Date:          11/23/2013 10:38:40 AM
Event ID:      4375
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      main.OurDomain.local
Windows Servicing failed to complete the process of setting package Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.0.6001.18000 () into Installed(Installed) state
Event Xml:
<Event xmlns="">
    <Provider Name="Microsoft-Windows-Servicing" Guid="{bd12f3b8-fc40-4a61-a307-b7a013a069c1}" EventSourceName="Microsoft-Windows-Servicing" />
    <EventID Qualifiers="49152">4375</EventID>
    <TimeCreated SystemTime="2013-11-23T18:38:40.000Z" />
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Security />
    <CbsPackageChangeState xmlns="">


I would really like to avoid starting over from scratch (new install, copy data, etc.), though I don't object to recreating all of the users and rights and such.

It seems that there are two approaches here:
1)  repair the "illegal duplicate key" (and any errors that follow that one), get the system to reboot in the normal mode, then try to uninstall and reinstall AD to ensure a reliable database
2)  identify why AD won't uninstall properly, fix it, uninstall and reinstall AD  (Are there other roles that I should remove first?)

Any suggestions about how to accomplish either of these or a better approach would be helpful.
LVL 23
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Seth SimmonsSr. Systems AdministratorCommented:
first, no need to apologize.  too many people here ask vague questions so the more details, the better

second, your 2 approaches are not viable solutions.  they both involve uninstalling and reinstalling AD.  when you uninstall AD from the one and only domain controller, it will remove the domain and all user and computer objects

do you know if server went down from a power loss?  could have caused data corruption

with only 5 users and no good backup, probably just worth blowing away and starting over which is probably a lot less time compared to trying to repair this (which may or may not be possible)

since you already attempted AD role removal and failed, best to reinstall windows (backup and shares and user data first)
I totally agree with seth,

My personnel experience is very bad with repairing AD database in my hard time
the tool (esentutl) provided by MS for repairing directory database doesn't seems to be extensive capabilities and powerful to repair AD database.
the only option left in that case to log priority A call with MS
MS does have \ use more better powerful tools (i called it as hidden tools) for there purposes and they will most probably resolve the problem

Its worth to build start from scratch OR
you can take MS Support..

CompProbSolvAuthor Commented:
"... are not viable"
I recognize that the domain and objects will be removed.  With so few users and devices, it would not be difficult to reconstruct.  It is certainly far less effort than a complete reinstall.

Nonetheless, you may be correct about the reinstall.  I am hoping for some other solution.  (Then again, I hope to win the lottery, too!)
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

VirastaRUC Tech Consultant Commented:

Based on your description,

ntdsutil: files
Active Instance not set. To set an active instance use "Activate Instance ".
ntdsutil: activate instance ntds
Active instance set to "ntds".
ntdsutil: files
Could not initialize the Jet engine:  Jet Warning 1.
Failed to open DIT for AD DS/LDS instance NTDS. Error -2147418113
ntdsutil: quit

which means that ntds.dit is not even mounted for the repair operation.

Operation terminated with error -1605 (JET_errKeyDuplicate, Illegal duplicate ke
related with Exchange database,however what its means is that your DB went beyond repair or Toast :(

So, I would recommend you to move on from this point and build it from scratch.

However, open your server is up make a smart move

Take a IFM Backup -

Hope that helps :)
CompProbSolvAuthor Commented:
I am afraid that I don't understand:
"However, open your server is up make a smart move"

Also, the IFM Backup doesn't seem relevant here.  That is, I don't have a working AD from which to take a backup.

Once this is all resolved, Windows Server Backup will be used to keep reliable backups of AD and everything else.
If you are not going to MS support,

Then there is no option left other than start from scratch...

SandeshdubeySenior Server EngineerCommented:
As other suggested you need contact MS for the db repair, but as you have only five user its worth starting from scrath.

As this is win2008 you can forcefully demote dc by running dcpromo /forceremoval in directory service restore mode and you should be able to boot in normal once dc is demoted forcefully.

I will recommend once you are in normal mode take the backup of data and reload the os and then promote the server as dc.Also run chkdsk in read only to check for any drive error, update the server drivers and firmware too if not updated.

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SandeshdubeySenior Server EngineerCommented:
In addition I will also recommend to have atleast two dc in network for redundancy if there is no budget  issue or regularly backup the server .
CompProbSolvAuthor Commented:
Your suggestion for dcpromo /forceremoval was the critical key that I was missing.  I found that suggestion with other searches online before reading your post.  I have done that, restarted into standard mode, removed AD with the GUI, and reinstalled it.  All seems well now!

I understand the recommendation for two or more DCs, but that is pretty cost-prohibitive in such a small network.  I absolutely agree about the backup and will be implementing Windows Server Backup shortly.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.