Re: DCPromo and NTDS.DIT
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Thu, 11 Jan 2007 20:11:59 -0000
Hi
Assuming that you only have 1 DC for that domain:
- You may try the following steps to recover the corrupted Active Directory,
but isn't guarantee that will work.
1. Reboot the server and press F8. Choose Directory Services Restore Mode
from the Menu.
2. Check the physical location of the Winnt\NTDS\ folder.
3. Check the permissions on the \Winnt\NTDS folder.
The default permissions are:
Administrators - Full Control
System - Full Control
4. Check the Winnt\Sysvol\Sysvol folder to make sure it is shared.
5. Check the permissions on the Winnt\Sysvol\Sysvol share.
The default permissions are:
Share Permissions:
Administrators - Full Control
Authenticated Users - Full Control
Everyone - Read
NTFS Permissions:
Administrators - Full Control
Authenticated Users - Read & Execute, List Folder Contents, Read
Creator Owner - none
Server Operators - Read & Execute, List Folder Contents, Read
System - Full Control
Note: You may not be able to change the permissions on these folders if the
Active Directory database is unavailable because it is damaged, however it
is best to know if the permissions are set correctly before you start the
recovery process, as it may not be the database that is the problem.
6. Make sure there is a folder in the Sysvol share labeled with the correct
name for their domain.
7. Open a command prompt and run NTDSUTIL to verify the paths for the
NTDS.dit file. These should match the physical structure from Step 2
To check the file paths type the following commands:
NTDSUTIL <enter>
Files <enter>
Info <enter>
The output should look similar to:
Drive Information:
C:\ NTFS (Fixed Drive) free (2.9 Gb) total (3.9 Gb)
D:\ NTFS (Fixed Drive) free (3.6 Gb) total (3.9 Gb)
DS Path Information:
Database : C:\WINNT\NTDS\ntds.dit - 10.1 Mb
Backup dir: C:\WINNT\NTDS\dsadata.bak
Working dir: C:\WINNT\NTDS
Log dir : C:\WINNT\NTDS - 30.0 Mb total
res2.log - 10.0 Mb
res1.log - 10.0 Mb
edb.log - 10.0 Mb
This information is pulled directly from the registry and mismatched paths
will cause Active Directory not to start. Type Quit to end the NTDSUTIL
session.
8. Rename the edb.chk file and try to boot to Normal mode. If that fails,
proceed with the next steps.
9. Reboot into Directory Services Restore mode again. At the command prompt,
use the ESENTUTL to check the integrity of the database.
NOTE: You can use NTDSUTIL to check the Integrity, however esentutl is
usually more reliable.
Type the following command:
ESENTUTL /g "<path>\NTDS.dit" /!10240 /8 /v /x /o <enter>
(Note: Type the path without the quotes).
Note: The default path would be C:\Winnt\NTDS\ntds.dit; however it may be
different in some cases.
The output will tell you if the database is inconsistent and may produce a
jet_error 1206 stating that the database is corrupt. If the database is
inconsistent or corrupt it will need to be recovered or repaired . To
recover the database type the following at the command prompt:
NTDSUTIL <enter>
Files<enter>
Recover <enter>
If this fails with an error, type quit until back at the command prompt and
repair the database using ESENTUTL by typing the following:
ESENTUTL /p "<path>\NTDS.dit" /!10240 /8 /v /x /o <enter>
(Note: Type the path without the quotes).
Note: If you do not put the switches at the end of the command you will
most likely get a Jet_error 1213 "Page size mismatch" error.
10. Delete the log files in the NTDS directory, but do not delete or move
the ntds.dit file.
11. The NTDSUTIL tool needs to be run again to check the Integrity of the
database and to perform a Semantic Database analysis.
To check the integrity, at the command prompt type:
NTDSUTIL <enter>
Files <enter>
Integrity <enter>
The output should tell you that the integrity check completed successfully
and prompt that you should perform a Semantic Database Analysis.
Type quit.
To perform the Semantic Database Analysis type the following at the NTDSUTIL
Prompt type:
Semantic Database Analysis <enter>
Go <enter>
The output will tell you that the Analysis completed successfully.
Type quit and closes the command prompt.
NOTE: If you get errors running the Analysis then type the following at the
semantic checker prompt:
semantic checker: go fix <enter>
This puts the checker in Fixup mode, which should fix whatever errors there
were.
12. Reboot the server to Normal Mode.
If any of these steps fail to recover the database the only alternative is
to perform an Authoritative System State restore from backup in Directory
Services Restore mode.
For more information, please refer to the following articles:
315136 HOW TO: Complete a Semantic Database Analysis for the Active
Directory
http://support.microsoft.com/?id=315136
265706 DCDiag and NetDiag in Windows 2000 Facilitate Domain Join and DC
Creation
http://support.microsoft.com/?id=265706
258007 Error Message: Lsass.exe - System Error : Security Accounts Manager
http://support.microsoft.com/?id=258007
265089 Event 1168: Windows 2000 DCs Unable to Boot into Active Directory
http://support.microsoft.com/?id=265089
315131 HOW TO: Use Ntdsutil to Manage Active Directory Files from the
Command
http://support.microsoft.com/?id=315131
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE
<cbielich@xxxxxxxxx> wrote in message news:1168493145.791778.325740@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Basically ntds.dit got corupted and I dont have a good backup. Yes I
know thats important and let me tell you this is happening for sure
now.
I have read all the articles and tried defragging, repair, restore and
nothing fixes it. According to all the articles at this point I have to
dcpromo my box so that I when I add it again it recreates it and "Wala"
Im done. This server is a subdomain and the only AC for this domain. I
have dcpromoed many times and am very familiar with it I just have
never done this to a child domain and while I thinks its the exact as
doing it to the root domain I am making sure.
I add another box to that child domain, then I dcpromo the corrupt one.
Then add that box back to the domain and then dcpromo the first box and
im done. Right?
C
.
- References:
- DCPromo and NTDS.DIT
- From: cbielich
- DCPromo and NTDS.DIT
- Prev by Date: Re: Active Directory access within two forest.
- Next by Date: Re: DHCP Scope Activation / Deactivation
- Previous by thread: Re: DCPromo and NTDS.DIT
- Next by thread: Re: DCPromo and NTDS.DIT
- Index(es):
Relevant Pages
|
Loading
