DC Failed to Start

After power fail, one of domain failed to start this morning.  Error showing as follow:
Your PC ran into a problem and needs to restart. We're just collecting some error info, and the we'll restart for you. (%% complete)
If you'd like to know more, you can search online later for this error 0xc00002e2


This is one of DCs onsites and this is on Hyper-V Virtual Machine. One of DCs is running and we have no problem to login. At this what is best way to restore the corrupt DC? Shell i repair the DC or remove the dc by force and recreate one? I am wondering what is best practice for this situation.  Thanks
MoonLiveAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Thomas GrassiSystems AdministratorCommented:
If the dc is dead will not start then you can only do a force

Which dc owns the roles

Try to get the working dc all the roles first

Then build a new dc
MoonLiveAuthor Commented:
What is the best way to force to remove the DC and make sure there is no reference left?  Is there anyway find out what this dead DC holds role? Thanks
R. Andrew KoffronCommented:
do you have snapshots before the failure for the VM?
Backups?
what roles are running on the server?
have you tried starting in directory restore mode?
Get a highly available system for cyber protection

The Acronis SDI Appliance is a new plug-n-play solution with pre-configured Acronis Software-Defined Infrastructure software that gives service providers and enterprises ready access to a fault-tolerant system, which combines universal storage and high-performance virtualization.

Thomas GrassiSystems AdministratorCommented:
netdom query fsmo  on the working Dc will show you the roles

to sieze the roles


https://www.petri.com/seizing_fsmo_roles

HTH
MoonLiveAuthor Commented:
When i tried to follow recover AD using ntds utility, i got an error
Failed to open DIT for AD DS/LDS instance NTDS. Error -2147418113 Any idea?
I followed: http://blog.msallal.com/2015/02/windows-server-2012-crash-error.html
MoonLiveAuthor Commented:
I don't have any snapshot and netdom query fsmo shows all roles are pointing to my main DC at main site. is that mean i can remove the troubled DC?
MoonLiveAuthor Commented:
OK. DC is now up and running.  Here it is what i did.
Now try the following those who have same issue as I am.

Retoring AD Database from dead!
Restart the instance and press F8 until the boot menu appear
Boot into Directory Services Repair Mode (DSRM), this mode appear only if you have the DC to interact with NTDS database while it in offline, while booting It may do some repairs and reboot, requiring you to do this a second time.
Login with a local administrator account, since AD service will not be running so the domain user will not be available.
Open a Command Prompt (Win-R, CMD, Enter)
Navigate to C:\Windows\NTDS
Backup everything in this location.
Type NTDSUTIL and press Enter.
Type "activate instance ntds" and press Enter. Type “Files” and press Enter.
Type “Info” and press Enter (this will shows you the logs location in case if you have more than one partition).
Navigate to logs Location and delete (or rename) the *.log.
-- Here it is what i did differently from blog (http://blog.msallal.com/2015/02/windows-server-2012-crash-error.html) because i got error.

Exit out of ntds utility
Type  ESENTUTL /p C:\Windows\NTDS\ntds.dit (this will tell you ndts is currupted)
Type  ESENTUTL /g C:\Windows\NTDS\ntds.dit (Defragged with successfully but warning message to restore from recovery)

Go back to ntds utility
Type: activate instance NTDS
Type: files
Type: info (you should see some log files) Rename all log files
Type “Compact to ” and press Enter. I created C:\Windows\NTDS\Temp and used that.
Copy the new file Ntds.dit in the temp folder over the old one in NTDS, and rename all the *.log files.
Reboot normally.
it works now!!!!!
Thomas GrassiSystems AdministratorCommented:
repadmin /replsum >>dclogx.txt
repadmin /showrepl >>dclogx.txt
repadmin /bridgeheads >>dclogx.txt

dcdiag >>dclogx.txt
dcdiag /test:registerindns /dnsdomain:FQDN>>dclogx.txt
dcdiag /c /v >>dclogx.txt
dcdiag /test:dns >>dclogx.txt

Run the above first

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MoonLiveAuthor Commented:
Thomas,
All failed after the restart DC. The dead DC is live but AD is not. it is useless!
I am rid off this DC and rebuild another one. I have other DC running good.

How to remove reference of dead DC from AD? Thanks for your help!
Thomas GrassiSystems AdministratorCommented:
MoonLiveAuthor Commented:
OK. I removed dead DC and it seems work, but I counter few error while running diagnostic. I ran all of your command and exported to dclogx.txt.  Here it is one of the error showing:
Starting test: SystemLog

         An error event occurred.  EventID: 0x40000004

            Time Generated: 01/18/2016   14:19:12

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server win-ea67kg0ub35$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/7a7e9ea1-1714-4765-a997-274f1ff2c119/mydomain.com@mydomain.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (MYDOMAIN.COM) is different from the client domain (MYDOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         ......................... NEWDC2 failed test SystemLog

What do you think?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hyper-V

From novice to tech pro — start learning today.