NTDS ISAM DataBase Corruption
Alfred
Category : DataBase Corruption
Event ID : 447
Description : NTDS (872) NTDSA: A bad page link (error-327) has been
detected in a B-Tree (ObjectID: 29 PgnoRoot: 47) of Database
C:\windows\ntds\ntds.dit (761 => 762,293)
This message from event log that I try to reset an user password - internal
error.
larry2...@126.com
Stop wasting your time on mouse movements
Open favorite web pages with a single hotkey press
Record keystrokes and play them back with a single hotkey press
------------------------------
http://www30.webSamba.com/SmartStudio
------------------------------
EnergyKey Save yourself from repetitive tasks
Jorge Silva
Some possible solutions:
*Solution1:
Perform restore operation to resolve the issue with your lastest Systate
BACKUPS.
*Solution 2:
In case this is not the only DC in the domain, you can simply rebuild it.
At the same time, you will need to perform the steps below before
re-promoting the server:
1. Seize FSMO roles to the existing DC in the domain. For the detailed
steps, you can refer to the following Microsoft Knowledge Base article:
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
http://support.microsoft.com/?id=255504
2. Remove remnant entries of the corrupted DC from AD database.
How to remove data in Active Directory after an unsuccessful domain
controller demotion
http://support.microsoft.com/?id=216498
3. Then, you can re-promote the server
*Solution 3:
If this is the only DC, you can use ntdsutil.exe to repair AD database
ntds.dit. However it might not completely resolve the issue. In some
situation, certain configurations will be lost.
"Directory Services cannot start" error message when you start your
Windows-based or SBS-based domain controller
http://support.microsoft.com/?id=258062
How to complete a semantic database analysis for the Active Directory
database by using Ntdsutil.exe
http://support.microsoft.com/default.aspx?scid=kb;en-us;315136
Additional Information
Exchange Server 2003 Disaster Recovery Operations Guide
http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/disrecopgde.mspx
Disaster Recovery Tips and Tricks
http://www.petri.co.il/disaster_recovery.htm
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Alfred" <Alf...@discussions.microsoft.com> wrote in message
news:F6D77881-7CE8-4732...@microsoft.com...
Alfred
I don't have any error messages when I restart the server.
Solution 1 : I don't have a systate backup. However, I did a full backup
using symantec livestate recovery. Can I restore the files from
c:\windows\ntds\*.* ? I have no success to use esentult /r and restart the
server using a backup ntds.dit.
Solution 2 : Only DC in domain.
Solution 3 : I can ndtsutil -> files -> recovery : no problem - 0x00 exit
code.
However, I get an error message database corruption using "esentutl /r
ntds.dit".
Question: Can I delete it and re-install or rebuilt a new DC (same name) and
add back all the users and computers?
Thanks,
Alfred
Jorge Silva
- How DCs do you have in that domain?
If you have more than one DC in that domain you can simple demote the dc
that is having problems and rebuild it again.
> Solution 1 : I don't have a systate backup. However, I did a full backup
> using symantec livestate recovery. Can I restore the files from
> c:\windows\ntds\*.* ? I have no success to use esentult /r and restart the
> server using a backup ntds.dit.
- Sorry I don't know if symantec livestate recovery is compatible with
Windows. You need a systate backup.
> However, I get an error message database corruption using "esentutl /r
> ntds.dit".
- You may try the following steps to recover the corrupted Active Directory,
but I cannot guarantee the outcome.
1. Reboot the server and press F8. Choose Directory Services Restore Mode
from the Menu.
2. Check the physical location of the Winnt\NTDS\ folder.
3. Check the permissions on the \Winnt\NTDS folder.
The default permissions are:
Administrators - Full Control
System - Full Control
4. Check the Winnt\Sysvol\Sysvol folder to make sure it is shared.
5. Check the permissions on the Winnt\Sysvol\Sysvol share.
The default permissions are:
Share Permissions:
Administrators - Full Control
Authenticated Users - Full Control
Everyone - Read
NTFS Permissions:
Administrators - Full Control
Authenticated Users - Read & Execute, List Folder Contents, Read
Creator Owner - none
Server Operators - Read & Execute, List Folder Contents, Read
System - Full Control
Note: You may not be able to change the permissions on these folders if the
Active Directory database is unavailable because it is damaged, however it
is best to know if the permissions are set correctly before you start the
recovery process, as it may not be the database that is the problem.
6. Make sure there is a folder in the Sysvol share labeled with the correct
name for their domain.
7. Open a command prompt and run NTDSUTIL to verify the paths for the
NTDS.dit file. These should match the physical structure from Step 2
To check the file paths type the following commands:
NTDSUTIL <enter>
Files <enter>
Info <enter>
The output should look similar to:
Drive Information:
C:\ NTFS (Fixed Drive) free (2.9 Gb) total (3.9 Gb)
D:\ NTFS (Fixed Drive) free (3.6 Gb) total (3.9 Gb)
DS Path Information:
Database : C:\WINNT\NTDS\ntds.dit - 10.1 Mb
Backup dir: C:\WINNT\NTDS\dsadata.bak
Working dir: C:\WINNT\NTDS
Log dir : C:\WINNT\NTDS - 30.0 Mb total
res2.log - 10.0 Mb
res1.log - 10.0 Mb
edb.log - 10.0 Mb
This information is pulled directly from the registry and mismatched paths
will cause Active Directory not to start. Type Quit to end the NTDSUTIL
session.
8. Rename the edb.chk file and try to boot to Normal mode. If that fails,
proceed with the next steps.
9. Reboot into Directory Services Restore mode again. At the command prompt,
use the ESENTUTL to check the integrity of the database.
NOTE: You can use NTDSUTIL to check the Integrity, however esentutl is
usually more reliable.
Type the following command:
ESENTUTL /g "<path>\NTDS.dit" /!10240 /8 /v /x /o <enter>
(Note: Type the path without the quotes).
Note: The default path would be C:\Winnt\NTDS\ntds.dit; however it may be
different in some cases.
The output will tell you if the database is inconsistent and may produce a
jet_error 1206 stating that the database is corrupt. If the database is
inconsistent or corrupt it will need to be recovered or repaired . To
recover the database type the following at the command prompt:
NTDSUTIL <enter>
Files<enter>
Recover <enter>
If this fails with an error, type quit until back at the command prompt and
repair the database using ESENTUTL by typing the following:
ESENTUTL /p "<path>\NTDS.dit" /!10240 /8 /v /x /o <enter>
(Note: Type the path without the quotes).
Note: If you do not put the switches at the end of the command you will
most likely get a Jet_error 1213 "Page size mismatch" error.
10. Delete the log files in the NTDS directory, but do not delete or move
the ntds.dit file.
11. The NTDSUTIL tool needs to be run again to check the Integrity of the
database and to perform a Semantic Database analysis.
To check the integrity, at the command prompt type:
NTDSUTIL <enter>
Files <enter>
Integrity <enter>
The output should tell you that the integrity check completed successfully
and prompt that you should perform a Semantic Database Analysis.
Type quit.
To perform the Semantic Database Analysis type the following at the NTDSUTIL
Prompt type:
Semantic Database Analysis <enter>
Go <enter>
The output will tell you that the Analysis completed successfully.
Type quit and closes the command prompt.
NOTE: If you get errors running the Analysis then type the following at the
semantic checker prompt:
semantic checker: go fix <enter>
This puts the checker in Fixup mode, which should fix whatever errors there
were.
12. Reboot the server to Normal Mode.
If any of these steps fail to recover the database the only alternative is
to perform an Authoritative System State restore from backup in Directory
Services Restore mode.
For more information, please refer to the following articles:
315136 HOW TO: Complete a Semantic Database Analysis for the Active
Directory
http://support.microsoft.com/?id=315136
265706 DCDiag and NetDiag in Windows 2000 Facilitate Domain Join and DC
Creation
http://support.microsoft.com/?id=265706
258007 Error Message: Lsass.exe - System Error : Security Accounts Manager
http://support.microsoft.com/?id=258007
265089 Event 1168: Windows 2000 DCs Unable to Boot into Active Directory
http://support.microsoft.com/?id=265089
315131 HOW TO: Use Ntdsutil to Manage Active Directory Files from the
Command
http://support.microsoft.com/?id=315131
I hope the above information helps.
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Alfred" <Alf...@discussions.microsoft.com> wrote in message
news:0CE4E464-596A-4A4B...@microsoft.com...
Alfred
Only One DC in the domain.
Can I add or create a new DC into the domain and demote the old DC and delete?
This is brand new IBM Server. It came with the pre-installed Windows 2003
Server. I only have about 15 users and 3 computers. I don't want to
re-install the OS.
Jorge Silva
Did you tried the recover the corrupted Active Directory process that a gave
you?
> Can I add or create a new DC into the domain and demote the old DC and
> delete?
- with a corrupted AD database.... I don't think so
> This is brand new IBM Server. It came with the pre-installed Windows 2003
> Server. I only have about 15 users and 3 computers. I don't want to
> re-install the OS.
- with so few users, why not recreate from scrach?
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Alfred" <Alf...@discussions.microsoft.com> wrote in message
news:F7E3949C-BAC2-4171...@microsoft.com...
Alfred
Yes, I did, even before I posted this in discussion group.
Error on - ESENTUTL /g
> - with so few users, why not recreate from scrach?
What do you mean from the scrach? AD? Can you show me "HOW TO DO IT" ?
I can't do anything on an user - insert, delete and change. "Internal error".
Jorge Silva
> Yes, I did, even before I posted this in discussion group.
> Error on - ESENTUTL /g
- did you tried the following step - attempt to repair it by running with
esentutl /p
> What do you mean from the scrach? AD? Can you show me "HOW TO DO IT" ?
> I can't do anything on an user - insert, delete and change. "Internal
> error".
I mean removing Active directory and readding it again (note: you'll loose
all users an computers, etc.. all AD configuration)
dcpromo /forceremoval
check:
Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server
http://support.microsoft.com/kb/332199
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Alfred" <Alf...@discussions.microsoft.com> wrote in message
news:9E23ADA1-58EF-42AD...@microsoft.com...
Alfred
Thanks for your help. I don't know why, but it fixed now after using
esentutl /p.
Alfred
Jorge Silva
> Thanks for your help. I don't know why, but it fixed now after using
> esentutl /p.
This step was described on the soution that I gave you, I said if esentutl
/g fails then you should try to use esentutl /p, then proceed all the next
steps that I gave you in the solution.
I'm glad I could help.
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Alfred" <Alf...@discussions.microsoft.com> wrote in message
news:C3005641-0773-49AD...@microsoft.com...