Link to home
Start Free TrialLog in
Avatar of MoonLive

asked on

DC Failed to Start

After power fail, one of domain failed to start this morning.  Error showing as follow:
Your PC ran into a problem and needs to restart. We're just collecting some error info, and the we'll restart for you. (%% complete)
If you'd like to know more, you can search online later for this error 0xc00002e2

This is one of DCs onsites and this is on Hyper-V Virtual Machine. One of DCs is running and we have no problem to login. At this what is best way to restore the corrupt DC? Shell i repair the DC or remove the dc by force and recreate one? I am wondering what is best practice for this situation.  Thanks
Avatar of Member_2_6492660_1
Flag of United States of America image

If the dc is dead will not start then you can only do a force

Which dc owns the roles

Try to get the working dc all the roles first

Then build a new dc
Avatar of MoonLive


What is the best way to force to remove the DC and make sure there is no reference left?  Is there anyway find out what this dead DC holds role? Thanks
Avatar of R. Andrew Koffron
do you have snapshots before the failure for the VM?
what roles are running on the server?
have you tried starting in directory restore mode?
netdom query fsmo  on the working Dc will show you the roles

to sieze the roles

When i tried to follow recover AD using ntds utility, i got an error
Failed to open DIT for AD DS/LDS instance NTDS. Error -2147418113 Any idea?
I followed:
I don't have any snapshot and netdom query fsmo shows all roles are pointing to my main DC at main site. is that mean i can remove the troubled DC?
OK. DC is now up and running.  Here it is what i did.
Now try the following those who have same issue as I am.

Retoring AD Database from dead!
Restart the instance and press F8 until the boot menu appear
Boot into Directory Services Repair Mode (DSRM), this mode appear only if you have the DC to interact with NTDS database while it in offline, while booting It may do some repairs and reboot, requiring you to do this a second time.
Login with a local administrator account, since AD service will not be running so the domain user will not be available.
Open a Command Prompt (Win-R, CMD, Enter)
Navigate to C:\Windows\NTDS
Backup everything in this location.
Type NTDSUTIL and press Enter.
Type "activate instance ntds" and press Enter. Type “Files” and press Enter.
Type “Info” and press Enter (this will shows you the logs location in case if you have more than one partition).
Navigate to logs Location and delete (or rename) the *.log.
-- Here it is what i did differently from blog ( because i got error.

Exit out of ntds utility
Type  ESENTUTL /p C:\Windows\NTDS\ntds.dit (this will tell you ndts is currupted)
Type  ESENTUTL /g C:\Windows\NTDS\ntds.dit (Defragged with successfully but warning message to restore from recovery)

Go back to ntds utility
Type: activate instance NTDS
Type: files
Type: info (you should see some log files) Rename all log files
Type “Compact to ” and press Enter. I created C:\Windows\NTDS\Temp and used that.
Copy the new file Ntds.dit in the temp folder over the old one in NTDS, and rename all the *.log files.
Reboot normally.
it works now!!!!!
Avatar of Member_2_6492660_1
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
All failed after the restart DC. The dead DC is live but AD is not. it is useless!
I am rid off this DC and rebuild another one. I have other DC running good.

How to remove reference of dead DC from AD? Thanks for your help!
OK. I removed dead DC and it seems work, but I counter few error while running diagnostic. I ran all of your command and exported to dclogx.txt.  Here it is one of the error showing:
Starting test: SystemLog

         An error event occurred.  EventID: 0x40000004

            Time Generated: 01/18/2016   14:19:12

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server win-ea67kg0ub35$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/7a7e9ea1-1714-4765-a997-274f1ff2c119/ This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (MYDOMAIN.COM) is different from the client domain (MYDOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         ......................... NEWDC2 failed test SystemLog

What do you think?