ntds corrupted?

Discussion in 'Active Directory' started by mmac, Feb 6, 2004.

  1. mmac

    mmac Guest

    about darn time too!

    "Ace Fekay [MVP]"
     
    mmac, Feb 11, 2004
    #21
    1. Advertisements

  2. In
    LOL!!!
    :)


    --
    Regards,
    Ace

    Please direct all replies to the newsgroup so all can benefit.
    This posting is provided "AS IS" with no warranties.

    Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
    Microsoft Windows MVP - Active Directory
     
    Ace Fekay [MVP], Feb 12, 2004
    #22
    1. Advertisements

  3. mmac

    mmac Guest

    Time to be a receiver again.
    I posted a question in the DNS forum
     
    mmac, Feb 12, 2004
    #23
  4. mmac

    Guest Guest

    Can you give more details on the steps for
    "If you got another DC, then the easiest way out is to
    force-demote the DC basically, rebuild it), and then re-
    promote as a replica. If it held any FSMOs, then you'll
    have to seize them to another DC. You'll also have to
    cleanup metadata (from ntdsutil) to get rid of the
    remnants of the decommisioned dc."

    Thanks,
     
    Guest, Feb 19, 2004
    #24
  5. mmac

    Hobbes Guest

    I am having the same problem after an unknown reboot of my
    W2K Server. Did anyone ever get a final resolution for
    repairing this or did the OS have to be reloaded
    completely?
     
    Hobbes, Feb 19, 2004
    #25
  6. mmac

    mmac Guest

    The solution is posted at the end of the thread.

     
    mmac, Feb 19, 2004
    #26
  7. mmac

    mmac Guest

    I take it back, I posted the solution in the middle of the thread, here it is
    so you don't have to search for it.:
    actually uses to do it's work. It took me a couple of typos to realize that he
    was telling me something different than eseutil which is used for the Exchange
    db. esentutl is for the ndts.
    I just found my notes:

    perms on the \Winnt\NTDS folder. Should be
    Administrators - Full Control
    System - Full Control

    perms on the Winnt\Sysvol\Sysvol share. Should be:
    Administrators - Full Control
    Authenticated Users - Read & Execute, List Folder Contents, Read
    Creator Owner - none
    Server Operators - Read & Execute, List Folder Contents, Read
    System - Full Control

    If perms not right then AD may not be the problem

    perms on the root of the C:\ drive or the drive where the NTDS folder is
    located. Should be:

    Everyone = full control (This surprised me a bit)
    Admin and system = full control (might have to add these, might not)

    Check Sysvol share for correct domain name.

    Run NTDSUTIL | files | Info to verify the paths for the NTDS.dit file.

    Should be: in systemroot\ntds directory and have paths to NTDS.dit, DSADATA.bak
    res2.log res1.log, and edb.log.

    If info is wrong check registry settings

    Rename edb.chk file and reboot if it doesn't work still then:

    boot to DSR mode again.
    cmd prompt,
    use ESENTUTL to check the integrity of the database. NTDSUTIL is not as
    reliable.

    Type ESENTUTL /g systemroot\ntds\NTDS.dit /!10240 /8 /v /x /o

    If "jet_error 1206 database corrupt" then

    NTDSUTIL |files|recover

    If this fails, quit NTDSUTIL

    Type ESENTUTL /p systemroot\ntds\NTDS.dit /!10240 /8 /v /x /o

    If error Jet_error 1213 you typoed the command , try again

    Delete only the log files from NTDS dir.

    now do NTDSUTIL | files | integrity

    Should be OK now and will ask for next test.

    type quit

    type Semantic Database Analysis

    then type Go

    Should be OK

    quit ntdsutil

    Exit cmd

    If you get error type Go Fix instead of Go on next round

    Reboot (and in my case begin prayer)

    If this doesn't work, you are screwed and need to do auth restore from
    somewhere less than 60 days old. Mine worked and came back up. My logon scripts
    don't run and I saw an error
    in the log about not being able to find the sysvol share and I am looking
    intoit. Everything works as far as I can tell. I can live without the logon
    scripts for now.
    (note added: The scripts started working again all by themselves! Go figure!)

    Hope this helps.
    -mmac
    <<
     
    mmac, Feb 19, 2004
    #27
  8. In mmac <> posted their thoughts, then I offered mine
    <snip>

    Mike...call me

    --
    Regards,
    Ace

    Please direct all replies to the newsgroup so all can benefit.
    This posting is provided "AS IS" with no warranties.

    Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
    Microsoft Windows MVP - Active Directory
     
    Ace Fekay [MVP], Feb 22, 2004
    #28
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.