Corrupt users on one server only

  • Thread starter Thread starter Nick B
  • Start date Start date
N

Nick B

Hi,

We have 2 DCs, and on one of them everything is fine. On second server, a
couple of user objects are corrupted (only some of the properties pages will
open and some pages are missing). Replication is working correctly, because
I can create a new user and it gets replicated. I can also change the
password of the users in question, and they get changed on the 'faulty'
server too.

Is there any way I can force a replication of the complete object between
the two servers ?? I have tried using the AD Site and Services, and going to
the 'Replicate Now' but this doesn't help

Thanks

Nick
 
If one of your domain controllers has corrupted data, your best bet is to
demote the corrupted DC and then promote it again (back up the DC's system
state first just in case). This will ensure you receive new data for
everything - incase the corruption is more than just a few user objects.

If this solution is not feasible, let me know and I will post a trick to
force replication of the objects. However, you will need to perform
integrity and semantic checks and may end up needing to re-promote the DC
anyway. If it was my DC I would just reload Active Directory to ensure data
integrity.

The real question is how did the data get corrupted. Is write behind caching
disabled on the disk drives that hold the Active directory log and database
files? Or if it is enabled, are you using a RAID controller with an onboard
battery backup?

------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
(e-mail address removed)



Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.
 
I don't really want to demote and promote, because this machine runs
Exchange Server, and also holds the FSMO roles (only a small network), so if
you could post the trick, that would be great.

As for how it got corrupted - a hard drive in the RAID set failed, and the
server started beeping. The concerned customer decided to power it off
before the hot spare had rebuilt !!

thanks

Nick
 
Hi Nick,

Even if the server holds the FSMO roles and is running Exchange Server 2000
that does not prevent you from demoting and promoting the server again
(although it will cause a temporary service outage - you have to reboot the
server a few times). Although you will need to manually transfer the roles
and ensure a global catalog server is available, you can get the
configuration back to the way it was.

Having said that, the trick to getting the object to replicate is to restart
the *working* domain controller in Directory Services Restore Mode and then
use the Restore Subtree command of Ntdsutil to mark the object as
authoritative. This will increase the object's USN (and all the object's
attributes except objectClass) by 100,000 for each day between the last
write operation to the directory and the time the command is run (although
it does not take that much time to reboot so the actual increase will more
likely be a few hundred). After you restart the working domain controller
replication will occur and the corrupted DC should write the properties to
its directory database.

However, doing the above is not guaranteed to fix anything and is not a
supported method of fixing a corrupted database. You should still perform an
integrity and semantic check on the corrupted domain controller by using
Ntdsutil - even if replicating the objects appears to solve the problem.

By the way, I'm assuming you don't have a current backup (less than 60 days
by default) of the corrupted server's directory. If you do have one you
could simply restore the corrupted domain controller (non-authoritatively).
Active Directory replication would then update the domain controller with
all the latest changes from the working domain controller.

Mike
 
Back
Top