Server 2008 recreate Active Directory

Posted on 2013-11-23
Last Modified: 2013-11-24
I picked up a new client who has a problem with Active Directory on Server 2008.  This is the only server, there is no System State backup, and there are about 5 users who would be easily recreated.  I do have a complete image of the drive.

I apologize for the lengthy post here, but I wanted to provide enough relevant data for troubleshooting.

The system will not boot in normal mode, giving an error in Directory Services.  I can reboot into Directory Services Repair Mode (but none of the other modes).

I have run a RAM test and a disk integrity test and both passed.  I ran sfc /scannow and it finished with a report that there were no errors found.

I tried repairing or recovering AD first with these two results:


ntdsutil: files
Active Instance not set. To set an active instance use "Activate Instance ".
ntdsutil: activate instance ntds
Active instance set to "ntds".
ntdsutil: files
Could not initialize the Jet engine:  Jet Warning 1.
Failed to open DIT for AD DS/LDS instance NTDS. Error -2147418113
ntdsutil: quit

(I am assuming that the "Activate Instance" was required because I was in DSRM.)


C:\Windows\NTDS>esentutl /p c:\windows\ntds\ntds.dit /!10240 /8 /o

Initiating REPAIR mode...
        Database: c:\windows\ntds\ntds.dit
  Temp. Database: TEMPREPAIR2728.EDB

Checking database integrity.

                     Scanning Status (% complete)

          0    10   20   30   40   50   60   70   80   90  100

Initiating DEFRAGMENTATION mode...
            Database: c:\windows\ntds\ntds.dit
      Temp. Database: TEMPREPAIR2728.EDB

                  Defragmentation Status (% complete)

          0    10   20   30   40   50   60   70   80   90  100

Operation terminated with error -1605 (JET_errKeyDuplicate, Illegal duplicate ke
y) after 7.250 seconds.


Clearly, there is something wrong with the database.  I did not find anything useful online about the "Illegal duplicate key" error.

Even if I were able to repair the AD database, I'd have concerns about its overall integrity.  That, along with the problems above, lead me to try to remove and reinstall the AD role, which seemed pretty straightforward.

I went to the server console, had it enumerate the roles, then told it to remove the AD role.  It did a lot of file crunching and rebooting (I had it set to reboot to DSRM) and eventually reported that it had tried three times and was unsuccessful.  When I look at the Event Viewer, I see a number of errors such as:

Log Name:      System
Source:        Microsoft-Windows-Servicing
Date:          11/23/2013 10:38:40 AM
Event ID:      4375
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      main.OurDomain.local
Windows Servicing failed to complete the process of setting package Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.0.6001.18000 () into Installed(Installed) state
Event Xml:
<Event xmlns="">
    <Provider Name="Microsoft-Windows-Servicing" Guid="{bd12f3b8-fc40-4a61-a307-b7a013a069c1}" EventSourceName="Microsoft-Windows-Servicing" />
    <EventID Qualifiers="49152">4375</EventID>
    <TimeCreated SystemTime="2013-11-23T18:38:40.000Z" />
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Security />
    <CbsPackageChangeState xmlns="">


I would really like to avoid starting over from scratch (new install, copy data, etc.), though I don't object to recreating all of the users and rights and such.

It seems that there are two approaches here:
1)  repair the "illegal duplicate key" (and any errors that follow that one), get the system to reboot in the normal mode, then try to uninstall and reinstall AD to ensure a reliable database
2)  identify why AD won't uninstall properly, fix it, uninstall and reinstall AD  (Are there other roles that I should remove first?)

Any suggestions about how to accomplish either of these or a better approach would be helpful.
Question by:CompProbSolv
  • 3
  • 2
  • 2
  • +2
LVL 34

Expert Comment

by:Seth Simmons
ID: 39671795
first, no need to apologize.  too many people here ask vague questions so the more details, the better

second, your 2 approaches are not viable solutions.  they both involve uninstalling and reinstalling AD.  when you uninstall AD from the one and only domain controller, it will remove the domain and all user and computer objects

do you know if server went down from a power loss?  could have caused data corruption

with only 5 users and no good backup, probably just worth blowing away and starting over which is probably a lot less time compared to trying to repair this (which may or may not be possible)

since you already attempted AD role removal and failed, best to reinstall windows (backup and shares and user data first)
LVL 35

Expert Comment

ID: 39671812
I totally agree with seth,

My personnel experience is very bad with repairing AD database in my hard time
the tool (esentutl) provided by MS for repairing directory database doesn't seems to be extensive capabilities and powerful to repair AD database.
the only option left in that case to log priority A call with MS
MS does have \ use more better powerful tools (i called it as hidden tools) for there purposes and they will most probably resolve the problem

Its worth to build start from scratch OR
you can take MS Support..

LVL 20

Author Comment

ID: 39671814
"... are not viable"
I recognize that the domain and objects will be removed.  With so few users and devices, it would not be difficult to reconstruct.  It is certainly far less effort than a complete reinstall.

Nonetheless, you may be correct about the reinstall.  I am hoping for some other solution.  (Then again, I hope to win the lottery, too!)

Expert Comment

ID: 39671826

Based on your description,

ntdsutil: files
Active Instance not set. To set an active instance use "Activate Instance ".
ntdsutil: activate instance ntds
Active instance set to "ntds".
ntdsutil: files
Could not initialize the Jet engine:  Jet Warning 1.
Failed to open DIT for AD DS/LDS instance NTDS. Error -2147418113
ntdsutil: quit

which means that ntds.dit is not even mounted for the repair operation.

Operation terminated with error -1605 (JET_errKeyDuplicate, Illegal duplicate ke
related with Exchange database,however what its means is that your DB went beyond repair or Toast :(

So, I would recommend you to move on from this point and build it from scratch.

However, open your server is up make a smart move

Take a IFM Backup -

Hope that helps :)
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

LVL 20

Author Comment

ID: 39671857
I am afraid that I don't understand:
"However, open your server is up make a smart move"

Also, the IFM Backup doesn't seem relevant here.  That is, I don't have a working AD from which to take a backup.

Once this is all resolved, Windows Server Backup will be used to keep reliable backups of AD and everything else.
LVL 35

Expert Comment

ID: 39671936
If you are not going to MS support,

Then there is no option left other than start from scratch...

LVL 24

Accepted Solution

Sandeshdubey earned 500 total points
ID: 39672063
As other suggested you need contact MS for the db repair, but as you have only five user its worth starting from scrath.

As this is win2008 you can forcefully demote dc by running dcpromo /forceremoval in directory service restore mode and you should be able to boot in normal once dc is demoted forcefully.

I will recommend once you are in normal mode take the backup of data and reload the os and then promote the server as dc.Also run chkdsk in read only to check for any drive error, update the server drivers and firmware too if not updated.
LVL 24

Expert Comment

ID: 39672065
In addition I will also recommend to have atleast two dc in network for redundancy if there is no budget  issue or regularly backup the server .
LVL 20

Author Comment

ID: 39673011
Your suggestion for dcpromo /forceremoval was the critical key that I was missing.  I found that suggestion with other searches online before reading your post.  I have done that, restarted into standard mode, removed AD with the GUI, and reinstalled it.  All seems well now!

I understand the recommendation for two or more DCs, but that is pretty cost-prohibitive in such a small network.  I absolutely agree about the backup and will be implementing Windows Server Backup shortly.

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now