LASASS error 0xc00002e1 and DSRM password

Discussion in 'Active Directory' started by PeeGee, May 19, 2007.

  1. PeeGee

    PeeGee Guest

    Following a recent update installation, I needed to restart a Server
    2003 Standard system. To minimise disruption (I thought) I followed my
    usual practise of scheduling an "out of hours" shutdown and restart. The
    event logs show this did not happen, but no indication of the error.

    At the "end of day" on Friday, I did a manual restart which required a
    task to be forced to stop (and I didn't note which, as it seems to be a
    regular occurrence/feature of server 2003). At reboot, a message box
    appears stating that the AD is being indexed, followed by the LSASS message:

    "Security Account Manager initialization failed because of the following
    error: Directory Service cannot start. Error Status: 0xc00002e1. Please
    click OK to shutdown the system and reboot into Directory Services
    Restore Mode, check the event log for more detailed information."

    As I don't have the password for this but know it can be reset using
    ntdsutil, is it likely that booting into safe mode will allow this to be
    used? I'm assuming that I cannot use another server to change it
    remotely while the DSRM login dialogue is in view.

    Note: the other system was supposed to be on "hot standby" using file
    replication etc, but has a status of "not eligible" after the first
    attempt to set it up caused file access problems and was aborted (Why
    does it start processing straight away instead waiting to be told when
    to start after the scheduled hours have been defined?).

    The reply address is a spam trap. All mail is reported as spam.
    "Nothing should be able to load itself onto a computer without the
    knowledge or consent of the computer user. Software should also be
    able to be removed from a computer easily."
    Peter Cullen, Microsoft Chief Privacy Strategist (Computing 18 Aug 05)
    PeeGee, May 19, 2007
    1. Advertisements

  2. In
    The article below references the fact there are duplicate objects causing
    the LSASS error.

    You receive a "lsass.exe-system error: Security Accounts Manager
    initialization failed" error message and event ID 1168 is logged when you
    restart a Windows Server 2003 domain controller:

    This leads me to question your "hot standy," how you set it up and how you
    intended to use it. I do not think the fix mentioned in the article will
    work because of thge possibility there are truly dupes based on your "hot
    standby," or course depending on how you set it up.

    If you can elaborate on your hot standby setup, theory and implementation,
    that may shed some light on a *possible* solution.

    As for the DSRM, that is the password you provided the DCPROMO process when
    you promoted the machien to a DC. Do you remember what that was?


    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft MVP - Directory Services
    Microsoft Certified Trainer

    Infinite Diversities in Infinite Combinations

    Having difficulty reading or finding responses to your post?
    Instead of the website you're using, try using OEx (Outlook Express
    or any other newsreader), and configure a news account, pointing to Anonymous access. It's free - no username or password
    required nor do you need a Newsgroup Usenet account with your ISP. It
    connects directly to the Microsoft Public Newsgroups. OEx allows you
    o easily find, track threads, cross-post, sort by date, poster's name,
    watched threads or subject. It's easy:

    How to Configure OEx for Internet News

    "Quitting smoking is easy. I've done it a thousand times." - Mark Twain
    Ace Fekay [MVP], May 21, 2007
    1. Advertisements

  3. PeeGee

    PeeGee Guest

    Thanks for the reply. That KB article was one of a few I read over the
    weekend. The problem with all the ways of addressing the problem was the
    need to use DSRM without knowing or being able to change the password (I
    did eventually use an unapproved method to change the password, but then
    the restore failed).

    Regarding "hot standby", the system is a DC and was intended to hold
    replicated user files (but this had not happened). When finally set up,
    it was to go into another building to provide local file services to
    reduce the traffic on the 100Mb link and be available for disaster
    recovery, should something happen to the "master".

    As recovery of the failed system was getting increasing unlikely, the
    decision was taken for working system to seize the FSMO roles (as
    transfer was not possible) and some files to be restored to that system
    from backup tape while the failed system was rebuilt. Fortunately, AD
    and GPO settings were being distributed. This has been done and the
    basic facilities restored (there is one application to be re-installed,
    but this is not critical). Some minor adjustments will be done tomorrow.
    This had the additional benefit of changing the system from "NT4
    upgraded to 2003" to a native 2003 install.

    The next stage is probably to go to R2 first, then use DFSR rather than
    use FRS.

    The reply address is a spam trap. All mail is reported as spam.
    "Nothing should be able to load itself onto a computer without the
    knowledge or consent of the computer user. Software should also be
    able to be removed from a computer easily."
    Peter Cullen, Microsoft Chief Privacy Strategist (Computing 18 Aug 05)
    PeeGee, May 21, 2007
  4. In
    I see what you did. AD DCs do not act like NT4 machines. And there is no
    "master." All DCs are replicas. Certain DCs hold certain roles, but they ALL
    have the same data on them, which is a copy of the AD database. It is not
    possible to build a DC into a domain, let it replicate, then unplug it for
    the future in case of a disaster recover. Keep in mind, the AD database runs
    a garbage collection process of any data that has not been touched or
    references, or deleted, older than 60 days. This default 60 day TTL
    (extendable in 2003 Native mode) is what allows to keep the data 'fresh,' so
    to speak. This means if any DC is offline for more than 60 days, the DC will
    be essentially useless and unerecoverable. I've seen this occur due to DNS
    misconfigurations where the DCs could not resolve each other and eventually
    after 60 dfays, you literally have to decide which one to keep and which one
    to trash.

    The idea is to have at least two DCs per domain so there is a copy of the
    data on both DCs. If one were to fail, you can simply unplug it, seize the
    roles to the other one, run a Metadata Cleanup
    ( to remove the references to the
    failed DC in the AD database, then simply rebuild the old one from scratch.
    That's it.

    Changing to R2 or anything else will not change that fact. If I were you I
    would just bring up the DCs and leave them run. If possible, keep the number
    of company critical applications on them to a minimize,and put them on
    member servers, so you won't have to go through this again pulling your

    I hope that explains it and helps out.

    Ace Fekay [MVP], May 23, 2007
  5. PeeGee

    PeeGee Guest

    Again, thanks for the info.

    The basic idea is as you say (I think the "move to another building" bit
    misdirected you) with both systems remaining online, but providing
    disaster protection through physical separation. I'm not sure why, but
    the network is centralised in a room above the heating boilers :-(

    Apart from missing the KB article when looking for info, the sequence we
    used was much as you describe when getting the DC back online.

    This set up is at a school, by the way, so does not fit the normal
    arrangement, since any of the 350+ client computers can be used by any
    of the 1000+ users (students and staff). As a result of budgetary
    constraints the DCs have to be file servers as well, but do not run any
    applications (yet - to satisfy government directives, we may have to add
    a facility, such as a terminal server, for "users" to access data from
    home; this is but one option we are now starting to explore).

    What was missing during the recovery was a replicated file store, so
    that if one system fails the other can provide the full DC and , the
    files remain available even if access times increase. That was the
    reason for the R2 comment, as I have gained the impression from these
    "server" groups that DFSR if more reliable than FRS.

    You are probably thinking "FRS replication is easy", but we have tended
    to treat this as a low(ish) priority and it is only through these
    newsgroups I have come to realise that replicating using DFS roots is
    not recommended (read: doesn't work properly). Over the last 12 months,
    the three of us (10 man days per week for 40 weeks per year) have moved
    the network from NT4SP6a to Server 2003, replaced 150 Win98 clients with
    XP clients and updated 100 Win98 clients to XP, as well as fielding all
    the help desk requests when the remaining Win98 clients refuse to run MS
    Office. All in all, a bit of a hectic year!

    Adding the info from your replies to our thoughts has helped and I think
    we are now getting a clear picture of the way ahead :)

    The reply address is a spam trap. All mail is reported as spam.
    "Nothing should be able to load itself onto a computer without the
    knowledge or consent of the computer user. Software should also be
    able to be removed from a computer easily."
    Peter Cullen, Microsoft Chief Privacy Strategist (Computing 18 Aug 05)
    PeeGee, May 23, 2007
  6. In
    Sounds like you've been through some challenging times. I commend your

    I haven't had too much trouble with DFS. The biggest advantages is it
    consolidates mapped drives, and allows users to connect to a replic nearest
    them based on Sites definitions. One place I saw they are using a single
    WINS entry for their domain NeBIOS name so when they use that or a mapped
    drive is used, it always connects to the one server and not the other. If
    they used the domain FQDN to connect, it toggles between the servers.

    Good luck with everything!

    Ace Fekay [MVP], May 26, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.