Problems with NTDS.DIT and lsass.exe errors

[Brent]

Hello all,

I've got an exchange 2000 server running--or used to--as one of 2 domain
controllers. All of a sudden, our outlook services stopped and when I
went to the machine an lsass.exe error had occurred as it was booting up
(apparently it had rebooted). Directory services could not start thus I
went into Directory Services Restore Mode, saw that numerous services had
failed (pop3, imap4..).
It appears that NTDS.DIT cannot be found. Using NTDSUTIL I cannot
recover it, compact it, or repair it, because it cannot be found in the
first place. A process, DBInitializeJetDatabase failed because it could
not find the file. However I look into the folder where it should be
(winnt\ntds) and it is there. The registry parameter also points there.
Short of rebuilding the entire server, is there some way I can
recreate the NTDS.DIT file? I can't even demote the server then repromote
it and allow AD to replicate from the other DC because I can't log into
it normally. Supposedly it's a bad idea to copy the ntds.dit from the
other DC and transfer it over.
Thanks for any advice and clues!!

Brent

 

[Colin Nash [MVP]]

This kb article seems to describe your problem... maybe you've already seen
it because it looks like you've tried most of the steps.

http://support.microsoft.com/default.aspx?scid=kb;[LN];265089

Could the permissions on the NTDS.DIT file have been changed somehow?

 

[brent]

Thanks Colin, I've read a number of KB's that describe similar
procedures, but I've checked the permissions on the folders leading to
the dbase and they seem okay. One strange thing is that the dsadata.bak
file is missing! It's not in the NTDS folder at all. There are log files
and the edb.chk file but no .bak file.
If only there was a way I could put in a .DIT file just to
make it happy and let me log in so I can demote it then promote it then
let it replicate along with the first AD domain controller. I dunno I'll
try anything...

 

[mjcartier]

Brent:

Did you try this?

http://www.jsiinc.com/SUBI/tip4200/rh4205.htm
4205 » Ntdsutil won't repair the Active Directory database?

When you try to repair the Active Directory database
(%SystemRoot%\Ntds\Ntds.dit) using the Ntdsutil tool, you receive errors
similar to:

Operation failed because the database was inconsistent.
Initialize jet database failed; cannot access file.
Error while performing soft recovery.If this happens, use the Esentutl
tool:
1. Boot to Active Directory Restore mode.
2. Open a CMD prompt and perform an integrity check by typing:

esentutl /g "<path>\ntds.dit"/!10240 /8 /v /x /o

3. Repair the database by typing:

esentutl /p "<path>\ntds.dit" /!10240 /8 /v /x /o

4. Delete the database log files from the Ntds folder.

5. Restart your Server.

 

[Eric Fleischman [MSFT]]

I would absolutely, positively not follow this procedure if you have another
working DC in the domain.
Further, it was stated earlier (if my read is correct) that the dit is not
able to be located. That tells me that we don't have anything to run
esentutl against.

To see if I'm clear, you do have another dc in the domain correct? And your
goal is to demote and promote this box up again?

~Eric

 

[MJC]

Though I've never had to run this utility, I remembered reading about it on
Microsoft KB. Here is MS' version:
http://support.microsoft.com/default.aspx?scid=kb;en-us;816120&Product=winsv
r2003#11

It didn't mention not to perform this procedure if you had an additional DC
that was operational. Just if the NTDSUTIL was unsecessful.

Eric Fleischman [MSFT]<[email protected]> 2/11/2004 10:18:17

AM >>>
I would absolutely, positively not follow this procedure if you have
another
working DC in the domain.
Further, it was stated earlier (if my read is correct) that the dit is not
able to be located. That tells me that we don't have anything to run
esentutl against.

To see if I'm clear, you do have another dc in the domain correct? And your
goal is to demote and promote this box up again?

~Eric

 

[Jack Wang [MSFT]]

Hi Brent,

If I am correct, you have checked the following article that meatained that
this issue can occur if the path to the NTDS folder that holds the Active
Directory database files and log files does not exist or the NTFS
permissions on this folder and database files are too restrictive, and
Active Directory cannot start.

258007 Error Message: Lsass.exe - System Error : Security Accounts Manager
http://support.microsoft.com/?id=258007

If so, please refer to the following article to troubleshoot the LSASS.exe
errors on DC.

300425 HOWTO: How to troubleshoot LSASS.EXE errors on Domain Controller Boot
http://support.microsoft.com/?id=300425

Also, I would like to provide the following articles for more information.
Please check if you have found them.

329642 Error Messages When You Open Active Directory Snap-ins and Exchange
http://support.microsoft.com/?id=329642

258062 "Directory Services Cannot Start" Error Message When You Start
Computer
http://support.microsoft.com/?id=258062

259278 Directory Service Does Not Start If Disk Is Full
http://support.microsoft.com/?id=259278

240362 Directory Services Does Not Start If Ntds.dit File Is Missing
http://support.microsoft.com/?id=240362

Hope this helps!

Sincerely,
Jack Wang, MCSE 2000, MCSA, MCDBA, MCSD
Microsoft Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Newsgroups: microsoft.public.win2000.active_directory
| Subject: Re: Problems with NTDS.DIT and lsass.exe errors
| From: brent <[email protected]>
| References: <[email protected]>
<#[email protected]>
| User-Agent: Xnews/5.04.25
| Lines: 28
| Message-ID: <[email protected]>
| X-Complaints-To: (e-mail address removed)
| Organization: EasyNews, UseNet made Easy!
| X-Complaints-Info: Please be sure to forward a copy of ALL headers
otherwise we will be unable to process your complaint properly.
| Date: Wed, 11 Feb 2004 05:11:55 GMT
| Path:
cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08
phx.gbl!news-out.cwix.com!newsfeed.cwix.com!newsfeed.frii.net!newsfeed.frii
net!140.99.99.194.MISMATCH!newsfeed1.easynews.com!newsfeed2.easynews.com!ea
synews.com!easynews!easynews-local!news.easynews.com.POSTED!not-for-mail
| Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.active_directory:66187
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
|
| Thanks Colin, I've read a number of KB's that describe similar
| procedures, but I've checked the permissions on the folders leading to
| the dbase and they seem okay. One strange thing is that the dsadata.bak
| file is missing! It's not in the NTDS folder at all. There are log files
| and the edb.chk file but no .bak file.
| If only there was a way I could put in a .DIT file just to
| make it happy and let me log in so I can demote it then promote it then
| let it replicate along with the first AD domain controller. I dunno I'll
| try anything...
|
|
|
|
|
|
| |
| > This kb article seems to describe your problem... maybe you've already
| > seen it because it looks like you've tried most of the steps.
| >
| > http://support.microsoft.com/default.aspx?scid=kb;[LN];265089
| >
| > Could the permissions on the NTDS.DIT file have been changed somehow?
| >
| >
|
|

 

[Eric Fleischman [MSFT]]

It's a matter of understanding what the tool does I'm afraid. Because of the
type of action that it performs I do not recommend it, although strictly
speaking sure you can. It just isn't a hot idea.

--
Eric Fleischman [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Though I've never had to run this utility, I remembered reading about it on
Microsoft KB. Here is MS' version:
http://support.microsoft.com/default.aspx?scid=kb;en-us;816120&Product=winsv
r2003#11

It didn't mention not to perform this procedure if you had an additional DC
that was operational. Just if the NTDSUTIL was unsecessful.

Eric Fleischman [MSFT]<[email protected]> 2/11/2004 10:18:17

AM >>>
I would absolutely, positively not follow this procedure if you have
another
working DC in the domain.
Further, it was stated earlier (if my read is correct) that the dit is not
able to be located. That tells me that we don't have anything to run
esentutl against.

To see if I'm clear, you do have another dc in the domain correct? And your
goal is to demote and promote this box up again?

~Eric

--
Eric Fleischman [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Brent:

Did you try this?

http://www.jsiinc.com/SUBI/tip4200/rh4205.htm
4205 » Ntdsutil won't repair the Active Directory database?

When you try to repair the Active Directory database
(%SystemRoot%\Ntds\Ntds.dit) using the Ntdsutil tool, you receive errors
similar to:

Operation failed because the database was inconsistent.
Initialize jet database failed; cannot access file.
Error while performing soft recovery.If this happens, use the Esentutl
tool:
1. Boot to Active Directory Restore mode.
2. Open a CMD prompt and perform an integrity check by typing:

esentutl /g "<path>\ntds.dit"/!10240 /8 /v /x /o

3. Repair the database by typing:

esentutl /p "<path>\ntds.dit" /!10240 /8 /v /x /o

4. Delete the database log files from the Ntds folder.

5. Restart your Server.

 

[Guest]

Just so you all know, I was experiencing the same exact problem (was not able to perform any ntdsutil operations on the database, but it was there and the permissions were correct). I ran the esentutl as described below and it worked perfectly. Thank you for posting!

Adam Jester
Microsoft Windows Server Specialist
Alcas Coproration

----- (e-mail address removed) wrote: -----

Brent:

Did you try this?

http://www.jsiinc.com/SUBI/tip4200/rh4205.htm
4205 » Ntdsutil won't repair the Active Directory database?

When you try to repair the Active Directory database
(%SystemRoot%\Ntds\Ntds.dit) using the Ntdsutil tool, you receive errors
similar to:

Operation failed because the database was inconsistent.
Initialize jet database failed; cannot access file.
Error while performing soft recovery.If this happens, use the Esentutl
tool:
1. Boot to Active Directory Restore mode.
2. Open a CMD prompt and perform an integrity check by typing:

esentutl /g "<path>\ntds.dit"/!10240 /8 /v /x /o

3. Repair the database by typing:

esentutl /p "<path>\ntds.dit" /!10240 /8 /v /x /o

4. Delete the database log files from the Ntds folder.

5. Restart your Server.

 

[Doug]

Realize while the esenutl may appear to have worked, the /p switch removes
not repairs damage found in the NTDS.DIT file. So while all appears to
good, if you have a second DC it is recommend that you DCPROMO down and back
the DC that you ran esenutl /p on.

doug

Just so you all know, I was experiencing the same exact problem (was not

able to perform any ntdsutil operations on the database, but it was there
and the permissions were correct). I ran the esentutl as described below and
it worked perfectly. Thank you for posting!

 

[leaderbuilder]

Solution

OK,
it is now the end of 2008 and I had this exact problem with one of my very, very old test machines. I had tried the ntdsutil with no resolve.
But this -
3. Repair the database by typing:

esentutl /p "\ntds.dit" /!10240 /8 /v /x /o

did work!!!
Got back in, was able to back up and retrieve my data and finally kill the machine.

THANK YOU!!!

Just so you all know, I was experiencing the same exact problem (was not able to perform any ntdsutil operations on the database, but it was there and the permissions were correct). I ran the esentutl as described below and it worked perfectly. Thank you for posting!

Adam Jester
Microsoft Windows Server Specialist
Alcas Coproration

----- (e-mail address removed) wrote: -----

Brent:

Did you try this?

http://www.jsiinc.com/SUBI/tip4200/rh4205.htm
4205 » Ntdsutil won't repair the Active Directory database?

When you try to repair the Active Directory database
(%SystemRoot%\Ntds\Ntds.dit) using the Ntdsutil tool, you receive errors
similar to:

Operation failed because the database was inconsistent.
Initialize jet database failed; cannot access file.
Error while performing soft recovery.If this happens, use the Esentutl
tool:
1. Boot to Active Directory Restore mode.
2. Open a CMD prompt and perform an integrity check by typing:

esentutl /g "\ntds.dit"/!10240 /8 /v /x /o

3. Repair the database by typing:

esentutl /p "\ntds.dit" /!10240 /8 /v /x /o

4. Delete the database log files from the Ntds folder.

5. Restart your Server.

 

[JustinScientist]

Just thought I'd register and post that the esentutl repair did successfully repair mine, enabling me to log in and run dcpromo to remove it (and as I post this it is rebooting for me to run it again to promote it up).

My server was not the only DC in the domain, so I was confident that it can be removed and re-applied to synchronize AD from the other DCs.

My problem was exactly like the original poster's and the guy's above me...the file was there, had the correct permissions, and was even the same file size as that file on other working domain controllers, but integrity checks say it is corrupted.

Initial problem caused by losing a HDD out of the RAID and during the repair process restarted the computer, prompting Windows to filecheck it next time it booted, which I'm sure erased whatever important information I needed. Windows Disk Checker is BAD!!


Thanks guys!!