Windows Server 2008 Thread, Odd problem with AD ntds.dit in Technical; I've an odd problem with one of our primaries 2008 Servers. Its the single DC for their domain, and seems ...
30th August 2013, 05:31 PM #1
Odd problem with AD ntds.dit
I've an odd problem with one of our primaries 2008 Servers. Its the single DC for their domain, and seems to be working mostly ok (people can login etc) but when you open the DNS console both forward and reverse zones cannot be accessed (they are AD zones). Also, when opening the ADUC console you can browse nearly all of the OUs, with the exception of Users which generates an error (system error)
So I assumed this was a problem with the AD database as the DNS and Users OU are part of AD. Rebooting the server into restore mode and running the esentutl tool to repair the ntds.dit database results in an error at about 50% of the Defragmentation stage - saying there is an Illegal Duplicate (error -1605).
So after many repair attempts (and also trying ntdsutil as well) I decided to revert to one of the System State backups created using Windows Server Backup - we have backups for the last 25 days and every one results in the same corrupted ntds.dit database! So it looks like this problem has been happening since the start of the holidays - unfortunately we only have the 25 backups taking is back to early August as the school itself was closed until today!
So I'm a bit stuck now - the server is sort of working, but DNS clearly isn't and AD seems to be partially corrupt. Oddly Ranger is working fine as is DHCP so the staff are logging on OK - but I'd like to fix this without an OS re-installation if possible, although its looking likely thats the only option!
Is there any other way to repair the AD ntds.dit database, or even a third party tool to do this as the MS one drops out with the error?
Last edited by Sheridan; 30th August 2013 at 05:40 PM.
31st August 2013, 11:36 AM #2
Can you promote another DC in that domain and get things working through that? If not (and I appreciate this may be unaffordable) this would be the time to phone Microsoft support and open a case.
31st August 2013, 11:48 AM #3
now would be a time to review your backup policies and backup for longer than 25 days.
31st August 2013, 12:24 PM #4
Single dc in this place. And yes, I know all about backup policies but we only inherited this school about 3 months ago so all we've had time to do is check the backups were actually working! They are working but this error has remained unnoticed it has been backed up in that state!
Is there any way to remove the dns zones from AD and then recreate them on a single dc ad integrated dns server?
31st August 2013, 12:30 PM #5
I'd look at dropping in a temp DC as a second box to at least let something sync and see whether it's "ok" on the far end (allowing you to sleep better) and go from there.
Even a little VM would be sufficient and it'll help us see the lie of the land. Your 25 days of backups (albeit broken ones) are good enough for things not to get 'worse' as such as you can always revert back to this point in time.
We can all go on about backup strategies etc but it doesn't fix the problem at hand so lets focus on that for now.
31st August 2013, 12:33 PM #6
Thanks to kmount from:
Sheridan (31st August 2013)
31st August 2013, 12:47 PM #7
Yeah I thought I might add in a spare pc as another dc, then demote the original, re promote it and eventually remove the spare pc totally after its all sorted. It's not a very well setup system we've inherited and its been poorly maintained over the years!
31st August 2013, 12:51 PM #8
Yeah, I think getting your image based back up onto some removable media is first step.
Then introduce second DC since you know you have a good (broken) backup to go back to if needbe.
See what happens on this second DC, plus that gives you a machine to mess around on knowing it's not the end of the world if you brick it.
If we assume it is also "broken" on replication then we know we need to mend the data so we start looking at re-creating zones etc.
Might just find it replicates fine, and replicates authoritatively backwards too..!
31st August 2013, 01:30 PM #9
It's frustrating as there is obviously only some minor corruption in the ntds.dit file but neither ntdsutil or esentutl can fix it! And it seems to be a duplicate entry causing the problem but I can't find a way around that either!
31st August 2013, 05:24 PM #10
How big is the network?
How many users? How many PCs?
Trashing it might not be a bad idea? (Might be quicker in the long run)
31st August 2013, 05:29 PM #11
MS may not offer support after those tools have been run according to one article I read until the domain is re-created in a supported configuration i.e rebuilt
31st August 2013, 05:44 PM #12
I'd read that as well - besides if I have to resort to MS support then I would bet money on their solution simply be to reinstall AD.
I might try and export everthing using ldifde and see if I can export the GPO's as well - its a network of about 50 PCs and 300 users so not massive.
31st August 2013, 10:10 PM #13
i did this a few years back as fixing the broken ad wasn't worth the time, i wrote a small program in c# to export all the users and walked round and rejoined all the machines to the domain (although you could probably do this with psexec and netdom join ) recreated the GPOs.
Originally Posted by Sheridan
does the native GPMC let you export GPOs ? i think i AGPM does.
31st August 2013, 11:47 PM #14
Just out of interest what does event viewer say also. Have you thought about moving the dns to a different server
Only thing I would be also worried about is if you put in another dc whats not to say it copies the corrupted data across
Also what was the last thing you did on the dc
1st September 2013, 12:35 AM #15
What about firing up a new domain controller in a new domain and using netdom to move over the computer accounts?
For user accounts
Migrating All User Accounts
By NikChillin in forum Windows 7
Last Post: 13th June 2011, 01:59 PM
By Gatt in forum Windows 7
Last Post: 30th September 2010, 10:37 AM
By sch in forum Windows Server 2008 R2
Last Post: 17th March 2010, 01:50 PM
By djdohboy in forum Windows
Last Post: 4th September 2008, 08:00 PM
Last Post: 28th September 2007, 02:38 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)