Server 2008 recreate Active Directory

Posted on 2013-11-23
Medium Priority
Last Modified: 2013-11-24
I picked up a new client who has a problem with Active Directory on Server 2008.  This is the only server, there is no System State backup, and there are about 5 users who would be easily recreated.  I do have a complete image of the drive.

I apologize for the lengthy post here, but I wanted to provide enough relevant data for troubleshooting.

The system will not boot in normal mode, giving an error in Directory Services.  I can reboot into Directory Services Repair Mode (but none of the other modes).

I have run a RAM test and a disk integrity test and both passed.  I ran sfc /scannow and it finished with a report that there were no errors found.

I tried repairing or recovering AD first with these two results:


ntdsutil: files
Active Instance not set. To set an active instance use "Activate Instance ".
ntdsutil: activate instance ntds
Active instance set to "ntds".
ntdsutil: files
Could not initialize the Jet engine:  Jet Warning 1.
Failed to open DIT for AD DS/LDS instance NTDS. Error -2147418113
ntdsutil: quit

(I am assuming that the "Activate Instance" was required because I was in DSRM.)


C:\Windows\NTDS>esentutl /p c:\windows\ntds\ntds.dit /!10240 /8 /o

Initiating REPAIR mode...
        Database: c:\windows\ntds\ntds.dit
  Temp. Database: TEMPREPAIR2728.EDB

Checking database integrity.

                     Scanning Status (% complete)

          0    10   20   30   40   50   60   70   80   90  100

Initiating DEFRAGMENTATION mode...
            Database: c:\windows\ntds\ntds.dit
      Temp. Database: TEMPREPAIR2728.EDB

                  Defragmentation Status (% complete)

          0    10   20   30   40   50   60   70   80   90  100

Operation terminated with error -1605 (JET_errKeyDuplicate, Illegal duplicate ke
y) after 7.250 seconds.


Clearly, there is something wrong with the database.  I did not find anything useful online about the "Illegal duplicate key" error.

Even if I were able to repair the AD database, I'd have concerns about its overall integrity.  That, along with the problems above, lead me to try to remove and reinstall the AD role, which seemed pretty straightforward.

I went to the server console, had it enumerate the roles, then told it to remove the AD role.  It did a lot of file crunching and rebooting (I had it set to reboot to DSRM) and eventually reported that it had tried three times and was unsuccessful.  When I look at the Event Viewer, I see a number of errors such as:

Log Name:      System
Source:        Microsoft-Windows-Servicing
Date:          11/23/2013 10:38:40 AM
Event ID:      4375
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      main.OurDomain.local
Windows Servicing failed to complete the process of setting package Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.0.6001.18000 () into Installed(Installed) state
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <Provider Name="Microsoft-Windows-Servicing" Guid="{bd12f3b8-fc40-4a61-a307-b7a013a069c1}" EventSourceName="Microsoft-Windows-Servicing" />
    <EventID Qualifiers="49152">4375</EventID>
    <TimeCreated SystemTime="2013-11-23T18:38:40.000Z" />
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Security />
    <CbsPackageChangeState xmlns="http://manifests.microsoft.com/win/2004/08/windows/setup_provider">


I would really like to avoid starting over from scratch (new install, copy data, etc.), though I don't object to recreating all of the users and rights and such.

It seems that there are two approaches here:
1)  repair the "illegal duplicate key" (and any errors that follow that one), get the system to reboot in the normal mode, then try to uninstall and reinstall AD to ensure a reliable database
2)  identify why AD won't uninstall properly, fix it, uninstall and reinstall AD  (Are there other roles that I should remove first?)

Any suggestions about how to accomplish either of these or a better approach would be helpful.
Question by:CompProbSolv
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
LVL 35

Expert Comment

by:Seth Simmons
ID: 39671795
first, no need to apologize.  too many people here ask vague questions so the more details, the better

second, your 2 approaches are not viable solutions.  they both involve uninstalling and reinstalling AD.  when you uninstall AD from the one and only domain controller, it will remove the domain and all user and computer objects

do you know if server went down from a power loss?  could have caused data corruption

with only 5 users and no good backup, probably just worth blowing away and starting over which is probably a lot less time compared to trying to repair this (which may or may not be possible)

since you already attempted AD role removal and failed, best to reinstall windows (backup and shares and user data first)
LVL 37

Expert Comment

ID: 39671812
I totally agree with seth,

My personnel experience is very bad with repairing AD database in my hard time
the tool (esentutl) provided by MS for repairing directory database doesn't seems to be extensive capabilities and powerful to repair AD database.
the only option left in that case to log priority A call with MS
MS does have \ use more better powerful tools (i called it as hidden tools) for there purposes and they will most probably resolve the problem

Its worth to build start from scratch OR
you can take MS Support..

LVL 21

Author Comment

ID: 39671814
"... are not viable"
I recognize that the domain and objects will be removed.  With so few users and devices, it would not be difficult to reconstruct.  It is certainly far less effort than a complete reinstall.

Nonetheless, you may be correct about the reinstall.  I am hoping for some other solution.  (Then again, I hope to win the lottery, too!)
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.


Expert Comment

ID: 39671826

Based on your description,

ntdsutil: files
Active Instance not set. To set an active instance use "Activate Instance ".
ntdsutil: activate instance ntds
Active instance set to "ntds".
ntdsutil: files
Could not initialize the Jet engine:  Jet Warning 1.
Failed to open DIT for AD DS/LDS instance NTDS. Error -2147418113
ntdsutil: quit

which means that ntds.dit is not even mounted for the repair operation.

Operation terminated with error -1605 (JET_errKeyDuplicate, Illegal duplicate ke
related with Exchange database,however what its means is that your DB went beyond repair or Toast :(

So, I would recommend you to move on from this point and build it from scratch.

However, open your server is up make a smart move

Take a IFM Backup - http://trycatch.be/blogs/roggenk/archive/2007/09/12/active-directory-domain-services-install-from-restored-backup-media-ifm.aspx

Hope that helps :)
LVL 21

Author Comment

ID: 39671857
I am afraid that I don't understand:
"However, open your server is up make a smart move"

Also, the IFM Backup doesn't seem relevant here.  That is, I don't have a working AD from which to take a backup.

Once this is all resolved, Windows Server Backup will be used to keep reliable backups of AD and everything else.
LVL 37

Expert Comment

ID: 39671936
If you are not going to MS support,

Then there is no option left other than start from scratch...

LVL 24

Accepted Solution

Sandeshdubey earned 2000 total points
ID: 39672063
As other suggested you need contact MS for the db repair, but as you have only five user its worth starting from scrath.

As this is win2008 you can forcefully demote dc by running dcpromo /forceremoval in directory service restore mode and you should be able to boot in normal once dc is demoted forcefully.

I will recommend once you are in normal mode take the backup of data and reload the os and then promote the server as dc.Also run chkdsk in read only to check for any drive error, update the server drivers and firmware too if not updated.
LVL 24

Expert Comment

ID: 39672065
In addition I will also recommend to have atleast two dc in network for redundancy if there is no budget  issue or regularly backup the server .
LVL 21

Author Comment

ID: 39673011
Your suggestion for dcpromo /forceremoval was the critical key that I was missing.  I found that suggestion with other searches online before reading your post.  I have done that, restarted into standard mode, removed AD with the GUI, and reinstalled it.  All seems well now!

I understand the recommendation for two or more DCs, but that is pretty cost-prohibitive in such a small network.  I absolutely agree about the backup and will be implementing Windows Server Backup shortly.

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question