Power loss - AD failure

  • Thread starter Thread starter David Hall
  • Start date Start date
D

David Hall

Hello newsgroup

We have a small office network with one Windows 2000 Server PC, and several
other computers running various versions of Windows. The Windows 2000 server
machine is a domain controller, but at present only one of the other PC's is
a member of that domain.
Yesterday we had a electricity failure, and when power was restored and the
Win2000 server machine restarted, the following error message was displayed:

"Security Accounts Manager initialization failed because of the following
error:

Directory Service cannot start
Error Status: 0xc00002e1"

I've searched the Microsoft knowledgebase, and found some relevant articles:

http://support.microsoft.com/default.aspx?scid=kb;en-us;240655&Product=win20
00
http://support.microsoft.com/default.aspx?scid=kb;en-us;258007&Product=win20
00
http://support.microsoft.com/default.aspx?scid=kb;en-us;258062&Product=win20
00

....however we have no backup to restore from, and the NTDS file permissions
are correct. I note that the

WINNT\NTDS\ntds.dit

file exists. I'm wondering what our options are at this point - I've read
quite a few newsgroup posts covering somewhat similar scenarios, amongst
which was using ntdsutil->authoritative restore but presumably the ntds.dit
file is corrupt and that won't achive anything? If I run DCPromo, and
rebuild (?) the AD, is there anything I can do to preserve our small number
of existing accounts?

Many thanks in advance
 
I would suggest that you run a database repair or database analysis before
you try to rebuild. The article below will tell you how to perform these
tasks.

315131 HOW TO: Use Ntdsutil to Manage Active Directory Files from the
Command
http://support.microsoft.com/?id=315131


--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
When this happened to me the SYSTEM account did not have full permission on
the partition with pagefile + winnt folder (and its subfolders). Check that
and maybe use System Configuration and Analysis tool to reset file system
permissions.

--
Regards

Matjaz Ladava, MCSE, MCSA, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com
 
Thank you very much to both of you - unfortunately we don't have any
dedicated IT support anymore, I've sort of inherited that role, so I might
have some other stupid follow-up questions in due course!

Best regards
 
Sure David. If you need any help just ask.

--
Regards

Matjaz Ladava, MCSE, MCSA, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com
 
Matjaz - thank you for your kind offer

I came across the 'Drive Failure' message posted to this newsgroup
yesterday, in which the thread author described a situation with
similarities to my own. One of the links suggested to him
(http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtech
nol/ad/windows2000/support/adrecov.asp) made for interesting reading.

I followed the 'Disaster Recovery Options' flowchat that it includes, and
had a look through my Directory Service Event Log, making a note of the
Event ID. Supplying the ID to the Microsoft Knowledgebase yielded this
article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;295932&Product=win20
00

The symptoms are consistent with what appears in the Event Log, but I don't
understand why this should be the case. The article says:

"This article discusses the following issues:

A condition in which Windows 2000-based domain controllers are unable to
boot into Active Directory mode after you restore system state backups that
were created prior to the installation of Windows 2000 Service Pack 2 (SP2).

Events and error messages that may be logged during various phases of the
restore and boot process following the system state restore if the database
header contains incorrect data in builds of Esentutl prior to SP2."

....But as I say, we haven't made any backups, and no attempt has been made
to "restore system state". However the logged error messages mirror exactly
those described in the article - curious
 
Those articles are fine, except, that you
a.) Didn't restore system state
b.) Your disk is fine
so that said we must look for some other ways to resolve this problem. As I
already written in one of my answers, you have to check file permissions on
your system drive (root) and if SYSTEM account has permission to WINNT (or
WINDOWS) folder. Another thing to check would be, that in Services, you have
Kerberos Key Distribution Center service setup to start automatically.
You could also use System Configuration and Analysis mmc to reset file
permissions on your system drive. To do this open up an instance of mmc.exe
and add System Configuration and Analysis snapin. Next, rightclick on snapin
and use open database to create a new database. When you are prompted to
select inf file, select DC security file. Rightclick again in the console
and select Analyze Now. Check the results and apply the security settings by
selecting Configure Now.

--
Regards

Matjaz Ladava, MCSE, MCSA, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com
 
Many thanks again for your prompt and very detailed response; I'll take away
everything that you've written and spend some time going over all of these
things in the next couple of days.

Best regards
 
Back
Top