ntds corrupted?

Discussion in 'Active Directory' started by mmac, Feb 6, 2004.

  1. mmac

    mmac Guest

    Oh man am I in trouble.
    In an effort to simply add another drive to my server in order to fix an
    exchange 55 database corruption, I installed the nearest drive under the
    impression that I would just format it and use it.
    It turned our to be a cloned drive from a couple years ago and installing it
    remapped my drive letters! I was able to correct that with a KB article and by
    booting into Directory restore mode I was able to copy the "system" hive to
    another machine, make the changes by editing the registry "DOS drive" entries
    put the hive back where it came from (renaming the original one) and got the
    letters back. whew!
    Then it seems that all the references to NTDS were to the "H" drive, so I
    went through the registry and changed all those back.
    Now I am left with what seems to be a corrupted NTDS.DIT file. I used
    NTDSUTIL and it says there are inconsistencies and can't fix it.
    I renamed the original and copied one I found in the system32 directory
    figuring I was hosed anyway and what did I have to lose. Well the error messages
    stopped but the machine sits there at the "preparing network connections"
    screen. Thats better right?

    Now what can I do? I went from bad to worse! There are two other DC's and I
    think they are all GC as well. I have another cloned drive from a year ago
    around that I was thinking I could pull the NTDS.DIT file from but I think it's
    time to get someone to protect me from myself.
     
    mmac, Feb 6, 2004
    #1
    1. Advertisements

  2. What does ntdsutil say? Some inconsistencies are worse than others. Does DC
    come up at all? If it does not, what is the error logged in the DS event
    log?

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], Feb 6, 2004
    #2
    1. Advertisements

  3. mmac

    mmac Guest

    entirely possible in going in circles but it feled more like a wall to me.
    yes it is running ex55 too. But that issue was before I killed ntds.dit
    I have ex2k also on that domain but few users are on it.
    I have no exbackup. I was using the repair tools for exchange when I just
    ran out of room and had to add another drive to contain the tempdb created.
    Thats when the floor dropped out on me.

    This morning I put the original NTDS.DIT back in place and what I get now at
    boot time is what I had before I put the other one there: LSASS.exe error
    0xC00002e1 reboot and start directory services restore ...
    so I can't read the event logs unless I use directory services restore.
    I have gone through Q258062, 240362,249321 after it remappped my drive
    letters.
    when I run ntdsutil | file | integrity, I get DBInitializeJetDatabase
    failed jet error 1030.
     
    mmac, Feb 6, 2004
    #3
  4. mmac

    mmac Guest

    when I run ntdsutil | file | integrity, I get DBInitializeJetDatabase
    failed jet error 1030. The same error happens with the repair option as
    well.

    This morning I put the original NTDS.DIT back in place and what I get now at
    boot time is what I had before I put the other one there: LSASS.exe error
    0xC00002e1 reboot and start directory services restore ...
    so I can't read the event logs unless I use directory services restore.
    I have gone through Q258062, 240362,249321 after it remappped my drive
    letters.
     
    mmac, Feb 6, 2004
    #4
  5. mmac

    mmac Guest

    Does that mean that there is no way to recover the ntds.dit file at all?
    Copying from a working one wouldnt' be a good idea I would imagine. I
    shudder at the thought of installing exchange 55 again. but my first concern
    is getting the machine working again. I'll deal with ex later.
     
    mmac, Feb 6, 2004
    #5
  6. mmac

    mmac Guest

    I have no ieda what problems the file from one DC would do to another DC.
    Thats why I ask if it's a good idea. I just don't know. I could open a
    working dc and copy the file to the non working one. But what would happen?
    I can envision it fouling up both machines but just because thats the way my
    luck has been running...
     
    mmac, Feb 7, 2004
    #6
  7. No, copying the DIT from another DC is a bad idea. Very bad.

    Are you sure about the jet error? -1030 is JET_errAlreadyInitialized, which
    should not be the case. Can you double check?

    Most probably, you lost log files, and the db is left in inconsistent state,
    and jet can not restore the consistency by replaying the logs. So, unless
    you find the logs (edb*.log), you are screwed.

    If you got another DC, then the easiest way out is to force-demote the DC
    (basically, rebuild it), and then re-promote as a replica. If it held any
    FSMOs, then you'll have to seize them to another DC. You'll also have to
    cleanup metadata (from ntdsutil) to get rid of the remnants of the
    decommisioned dc.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], Feb 7, 2004
    #7
  8. mmac

    mmac Guest

    the error using ntdsutil files integrity is "inconsistent" is there another
    command I can use to give you more info?

    There are is an edb.log file present

    What you say in the last paragraph will need handholding. Can you walk me
    through it. (or pick up the phone if you are at work ;)
     
    mmac, Feb 7, 2004
    #8
  9. mmac

    mmac Guest

    DS log shows event 1168
    error -550(fffffdda) internal ID 404e0 contact ms support for assistance
     
    mmac, Feb 7, 2004
    #9
  10. Aha, that makes more sense. -550 means you got no logs. You must have copied
    ntds.dit, but did not copy the logs. Edb.log is always created.

    If you can find the logs (wherever they used to be, in the same folder with
    ntds.dit by default), then you can recover, by copying them into the ntds
    folder.

    If you need to rebuild the DC, then, sorry, I am not at work, and I am no
    support person either :)

    These KBs contain instructions on removing a dead DC:
    http://support.microsoft.com/default.aspx?scid=KB;EN-US;216498
    http://support.microsoft.com/default.aspx?scid=KB;EN-US;332199

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], Feb 7, 2004
    #10
  11. mmac

    mmac Guest

    Thank You for you help with this Dimitri.
    I will begin the awful task.
    What does the MSFT stand for?
     
    mmac, Feb 7, 2004
    #11
  12. Hi Mike,

    MSFT stands for Microsoft. Dmitri is one of the Microsoft engineers that
    reply in this group.

    I got your message in the DNS group. Basically you've got recommendations
    here that I agree with. You still have the other two DCs, which is good as
    far as your AD accounts. Trash this server, as has been mentioned by the
    other guys, and force the FSMO roles over and remove it's reference in AD
    using Metadata cleanup, but don't reformat the drive since your Ex55 data is
    still there.

    You can rebuild it using the same name, and join it to the domain, then
    reinstall Exchange55 with the same name, Site and Org names, providing a new
    folder location (don't use the old location), update it to the service pack
    previously on the old Ex55, then stop the services, copy the current
    MDBDATA folder and the DSXDATA folder over to a new location to save a copy
    of it, then copy the old MDBDATA and DSXDATA to the new installation's
    folder and restart the Ex55 services and usually (most cases) this will give
    you back your old Exchange 55 machine.

    You have my email and phone #, give me a shout if you're not sure how to do
    all this.

    --
    Regards,
    Ace

    Please direct all replies to the newsgroup so all can benefit.
    This posting is provided "AS IS" with no warranties.

    Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
    Microsoft Windows MVP - Active Directory
     
    Ace Fekay [MVP], Feb 7, 2004
    #12
  13. mmac

    mmac Guest

    Thanks Ace. You are Mr Dependable. I didn't have your address, it was in the
    exchange that died. and I didn't see it in your sig when I looked although it's
    there in this one. hmm

    After 3 1/2 hours of actual phone time (after 2 hours waiting = 5 1/2 hours
    with a phone in my ear) we got it back as far as I can tell. It came down to
    running the ntdsutil and then eseutil in a certain sequence. and it recovered.
    The same for the exchange database. a specific sequence of eseutil and isinteg
    switches, that is not outlined specifically enough in any single KB article
    which was found in a message (they called it an object I think, something that
    may someday become a KB article?) the pss guy walked me through it and it did
    everything it said it would and it is now running again. I had all the pieces
    but the ordering was critical.
    I don't know how much I lost because it was 3am this morning that I left it with
    the disk just churning away (Exchange trying to to catch up perhaps?) But when I
    checked my mail today I might have lost the day it crashed but thats all.

    Next I move the stuff off this thing and rebuild after a graceful demotion. But
    that will wait a few days, I gotta get some sleep.
    Thank you all for so much help!
     
    mmac, Feb 8, 2004
    #13
  14. mmac

    mmac Guest

    Ahh. that makes more sense to my feeble mind, Thanks.

    After 3 1/2 hours of actual phone time (after 2 hours waiting = 5 1/2 hours
    with a phone in my ear) we got it back as far as I can tell. It came down to
    running the ntdsutil and then eseutil in a certain sequence. and it recovered.
    The same for the exchange database. a specific sequence of eseutil and isinteg
    switches, that is not outlined specifically enough in any single KB article
    which was found in a message (they called it an object I think, something that
    may someday become a KB article?) the pss guy walked me through it and it did
    everything it said it would and it is now running again. I had all the pieces
    but the ordering was critical.
    I don't know how much I lost because it was 3am this morning that I left it with
    the disk just churning away (Exchange trying to to catch up perhaps?) But when I
    checked my mail today I might have lost the day it crashed but thats all.

    Next I move the stuff off this thing and rebuild after a graceful demotion. But
    that will wait a few days, I gotta get some sleep.
    Thank you all for so much help!
     
    mmac, Feb 8, 2004
    #14
  15. mmac

    mmac Guest

    Sorry to duplicate post, I just want to be sure to thank everyone personally.
    This was a big deal to have all you guys be so helpful. Thank you.

    After 3 1/2 hours of actual phone time (after 2 hours waiting = 5 1/2 hours
    with a phone in my ear) we got it back as far as I can tell. It came down to
    running the ntdsutil and then eseutil in a certain sequence. and it recovered.
    The same for the exchange database. a specific sequence of eseutil and isinteg
    switches, that is not outlined specifically enough in any single KB article
    which was found in a message (they called it an object I think, something that
    may someday become a KB article?) the pss guy walked me through it and it did
    everything it said it would and it is now running again. I had all the pieces
    but the ordering was critical.
    I don't know how much I lost because it was 3am this morning that I left it with
    the disk just churning away (Exchange trying to to catch up perhaps?) But when I
    checked my mail today I might have lost the day it crashed but thats all.

    Next I move the stuff off this thing and rebuild after a graceful demotion. But
    that will wait a few days, I gotta get some sleep.
    Thank you all for so much help!
     
    mmac, Feb 8, 2004
    #15
  16. In
    Hi Mike

    Did you save the steps that PSS helped you with? Maybe one day in the
    future, it may come in handy. I'm curious to see them too, especially that
    estitul (or whatever it was) which I've never heard of, other than the
    actual eseutil utility itself.


    --
    Regards,
    Ace

    Please direct all replies to the newsgroup so all can benefit.
    This posting is provided "AS IS" with no warranties.

    Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
    Microsoft Windows MVP - Active Directory
     
    Ace Fekay [MVP], Feb 9, 2004
    #16
  17. mmac

    mmac Guest

    The utility was esentutl (as I recall) and it is the utility that ndtsutil
    actually uses to do it's work. It took me a couple of typos to realize that he
    was telling me something different than eseutil which is used for the Exchange
    db. esentutl is for the ndts.
    I just found my notes:
    perms on the \Winnt\NTDS folder. Should be
    Administrators - Full Control
    System - Full Control


    perms on the Winnt\Sysvol\Sysvol share. Should be:
    Administrators - Full Control
    Authenticated Users - Read & Execute, List Folder Contents, Read
    Creator Owner - none
    Server Operators - Read & Execute, List Folder Contents, Read
    System - Full Control


    If perms not right then AD may not be the problem

    perms on the root of the C:\ drive or the drive where the NTDS folder is
    located. Should be:

    Everyone = full control (This surprised me a bit)
    Admin and system = full control (might have to add these, might not)

    Check Sysvol share for correct domain name.

    Run NTDSUTIL | files | Info to verify the paths for the NTDS.dit file.

    Should be: in systemroot\ntds directory and have paths to NTDS.dit, DSADATA.bak
    res2.log res1.log, and edb.log.


    If info is wrong check registry settings



    Rename edb.chk file and reboot if it doesn't work still then:

    boot to DSR mode again.
    cmd prompt,
    use ESENTUTL to check the integrity of the database. NTDSUTIL is not as
    reliable.



    Type ESENTUTL /g systemroot\ntds\NTDS.dit /!10240 /8 /v /x /o


    If "jet_error 1206 database corrupt" then



    NTDSUTIL |files|recover


    If this fails, quit NTDSUTIL

    Type ESENTUTL /p systemroot\ntds\NTDS.dit /!10240 /8 /v /x /o

    If error Jet_error 1213 you typoed the command , try again

    Delete only the log files from NTDS dir.

    now do NTDSUTIL | files | integrity

    Should be OK now and will ask for next test.

    type quit

    type Semantic Database Analysis

    then type Go

    Should be OK

    quit ntdsutil

    Exit cmd



    If you get error type Go Fix instead of Go on next round

    Reboot (and in my case begin prayer)

    If this doesn't work, you need to auth restore from somewhere less than 60 days
    old. Mine worked and came back up. My logon scripts don't run and I saw an error
    in the log about not being able to find the sysvol share and I am looking into
    it. Everything works as far as I can tell. I can live without the logon scripts
    for now.

    Hope this helps.
     
    mmac, Feb 9, 2004
    #17
  18. In
    Wow, thanks Mike. What a mess, and a heck of a resolve!
    Thanks for posting that!

    Cheers!


    --
    Regards,
    Ace

    Please direct all replies to the newsgroup so all can benefit.
    This posting is provided "AS IS" with no warranties.

    Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
    Microsoft Windows MVP - Active Directory
     
    Ace Fekay [MVP], Feb 10, 2004
    #18
  19. mmac

    mmac Guest

    Ace,
    It's the LEAST I can do.
    mike


    "Ace Fekay [MVP]"
     
    mmac, Feb 10, 2004
    #19
  20. In

    See, that's what you've been wanting to do ... you're contributing!

    Cheers!
    ;-)


    --
    Regards,
    Ace

    Please direct all replies to the newsgroup so all can benefit.
    This posting is provided "AS IS" with no warranties.

    Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
    Microsoft Windows MVP - Active Directory
     
    Ace Fekay [MVP], Feb 11, 2004
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.