Avatar of MoonLive
MoonLive
 asked on

DC Failed to Start

After power fail, one of domain failed to start this morning.  Error showing as follow:
Your PC ran into a problem and needs to restart. We're just collecting some error info, and the we'll restart for you. (%% complete)
If you'd like to know more, you can search online later for this error 0xc00002e2


This is one of DCs onsites and this is on Hyper-V Virtual Machine. One of DCs is running and we have no problem to login. At this what is best way to restore the corrupt DC? Shell i repair the DC or remove the dc by force and recreate one? I am wondering what is best practice for this situation.  Thanks
Hyper-VWindows Server 2012Windows Networking

Avatar of undefined
Last Comment
MoonLive

8/22/2022 - Mon
Member_2_6492660_1

If the dc is dead will not start then you can only do a force

Which dc owns the roles

Try to get the working dc all the roles first

Then build a new dc
MoonLive

ASKER
What is the best way to force to remove the DC and make sure there is no reference left?  Is there anyway find out what this dead DC holds role? Thanks
R. Andrew Koffron

do you have snapshots before the failure for the VM?
Backups?
what roles are running on the server?
have you tried starting in directory restore mode?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Member_2_6492660_1

netdom query fsmo  on the working Dc will show you the roles

to sieze the roles


https://www.petri.com/seizing_fsmo_roles

HTH
MoonLive

ASKER
When i tried to follow recover AD using ntds utility, i got an error
Failed to open DIT for AD DS/LDS instance NTDS. Error -2147418113 Any idea?
I followed: http://blog.msallal.com/2015/02/windows-server-2012-crash-error.html
MoonLive

ASKER
I don't have any snapshot and netdom query fsmo shows all roles are pointing to my main DC at main site. is that mean i can remove the troubled DC?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
MoonLive

ASKER
OK. DC is now up and running.  Here it is what i did.
Now try the following those who have same issue as I am.

Retoring AD Database from dead!
Restart the instance and press F8 until the boot menu appear
Boot into Directory Services Repair Mode (DSRM), this mode appear only if you have the DC to interact with NTDS database while it in offline, while booting It may do some repairs and reboot, requiring you to do this a second time.
Login with a local administrator account, since AD service will not be running so the domain user will not be available.
Open a Command Prompt (Win-R, CMD, Enter)
Navigate to C:\Windows\NTDS
Backup everything in this location.
Type NTDSUTIL and press Enter.
Type "activate instance ntds" and press Enter. Type “Files” and press Enter.
Type “Info” and press Enter (this will shows you the logs location in case if you have more than one partition).
Navigate to logs Location and delete (or rename) the *.log.
-- Here it is what i did differently from blog (http://blog.msallal.com/2015/02/windows-server-2012-crash-error.html) because i got error.

Exit out of ntds utility
Type  ESENTUTL /p C:\Windows\NTDS\ntds.dit (this will tell you ndts is currupted)
Type  ESENTUTL /g C:\Windows\NTDS\ntds.dit (Defragged with successfully but warning message to restore from recovery)

Go back to ntds utility
Type: activate instance NTDS
Type: files
Type: info (you should see some log files) Rename all log files
Type “Compact to ” and press Enter. I created C:\Windows\NTDS\Temp and used that.
Copy the new file Ntds.dit in the temp folder over the old one in NTDS, and rename all the *.log files.
Reboot normally.
it works now!!!!!
ASKER CERTIFIED SOLUTION
Member_2_6492660_1

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
MoonLive

ASKER
Thomas,
All failed after the restart DC. The dead DC is live but AD is not. it is useless!
I am rid off this DC and rebuild another one. I have other DC running good.

How to remove reference of dead DC from AD? Thanks for your help!
Member_2_6492660_1

This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
MoonLive

ASKER
OK. I removed dead DC and it seems work, but I counter few error while running diagnostic. I ran all of your command and exported to dclogx.txt.  Here it is one of the error showing:
Starting test: SystemLog

         An error event occurred.  EventID: 0x40000004

            Time Generated: 01/18/2016   14:19:12

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server win-ea67kg0ub35$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/7a7e9ea1-1714-4765-a997-274f1ff2c119/mydomain.com@mydomain.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (MYDOMAIN.COM) is different from the client domain (MYDOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         ......................... NEWDC2 failed test SystemLog

What do you think?