+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
Windows Server 2008 Thread, Odd problem with AD ntds.dit in Technical; I've an odd problem with one of our primaries 2008 Servers. Its the single DC for their domain, and seems ...
  1. #1
    Sheridan's Avatar
    Join Date
    Oct 2010
    Posts
    1,289
    Thank Post
    112
    Thanked 86 Times in 58 Posts
    Rep Power
    28

    Odd problem with AD ntds.dit

    I've an odd problem with one of our primaries 2008 Servers. Its the single DC for their domain, and seems to be working mostly ok (people can login etc) but when you open the DNS console both forward and reverse zones cannot be accessed (they are AD zones). Also, when opening the ADUC console you can browse nearly all of the OUs, with the exception of Users which generates an error (system error)

    So I assumed this was a problem with the AD database as the DNS and Users OU are part of AD. Rebooting the server into restore mode and running the esentutl tool to repair the ntds.dit database results in an error at about 50% of the Defragmentation stage - saying there is an Illegal Duplicate (error -1605).

    So after many repair attempts (and also trying ntdsutil as well) I decided to revert to one of the System State backups created using Windows Server Backup - we have backups for the last 25 days and every one results in the same corrupted ntds.dit database! So it looks like this problem has been happening since the start of the holidays - unfortunately we only have the 25 backups taking is back to early August as the school itself was closed until today!

    So I'm a bit stuck now - the server is sort of working, but DNS clearly isn't and AD seems to be partially corrupt. Oddly Ranger is working fine as is DHCP so the staff are logging on OK - but I'd like to fix this without an OS re-installation if possible, although its looking likely thats the only option!

    Is there any other way to repair the AD ntds.dit database, or even a third party tool to do this as the MS one drops out with the error?
    Last edited by Sheridan; 30th August 2013 at 04:40 PM.

  2. #2

    Join Date
    Oct 2005
    Location
    hey hey hey, stay outta my shed. STAY OUT OF MY SHED.
    Posts
    1,011
    Thank Post
    238
    Thanked 190 Times in 146 Posts
    Rep Power
    106
    Can you promote another DC in that domain and get things working through that? If not (and I appreciate this may be unaffordable) this would be the time to phone Microsoft support and open a case.

  3. #3

    Join Date
    Mar 2013
    Location
    west sussex
    Posts
    519
    Thank Post
    74
    Thanked 26 Times in 26 Posts
    Rep Power
    14
    now would be a time to review your backup policies and backup for longer than 25 days.

  4. #4
    Sheridan's Avatar
    Join Date
    Oct 2010
    Posts
    1,289
    Thank Post
    112
    Thanked 86 Times in 58 Posts
    Rep Power
    28
    Single dc in this place. And yes, I know all about backup policies but we only inherited this school about 3 months ago so all we've had time to do is check the backups were actually working! They are working but this error has remained unnoticed it has been backed up in that state!

    Is there any way to remove the dns zones from AD and then recreate them on a single dc ad integrated dns server?

  5. #5


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,689
    Thank Post
    352
    Thanked 794 Times in 714 Posts
    Rep Power
    346
    I'd look at dropping in a temp DC as a second box to at least let something sync and see whether it's "ok" on the far end (allowing you to sleep better) and go from there.

    Even a little VM would be sufficient and it'll help us see the lie of the land. Your 25 days of backups (albeit broken ones) are good enough for things not to get 'worse' as such as you can always revert back to this point in time.

    We can all go on about backup strategies etc but it doesn't fix the problem at hand so lets focus on that for now.

  6. #6


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,689
    Thank Post
    352
    Thanked 794 Times in 714 Posts
    Rep Power
    346

  7. Thanks to kmount from:

    Sheridan (31st August 2013)

  8. #7
    Sheridan's Avatar
    Join Date
    Oct 2010
    Posts
    1,289
    Thank Post
    112
    Thanked 86 Times in 58 Posts
    Rep Power
    28
    Yeah I thought I might add in a spare pc as another dc, then demote the original, re promote it and eventually remove the spare pc totally after its all sorted. It's not a very well setup system we've inherited and its been poorly maintained over the years!

  9. #8


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,689
    Thank Post
    352
    Thanked 794 Times in 714 Posts
    Rep Power
    346
    Yeah, I think getting your image based back up onto some removable media is first step.

    Then introduce second DC since you know you have a good (broken) backup to go back to if needbe.

    See what happens on this second DC, plus that gives you a machine to mess around on knowing it's not the end of the world if you brick it.

    If we assume it is also "broken" on replication then we know we need to mend the data so we start looking at re-creating zones etc.

    Might just find it replicates fine, and replicates authoritatively backwards too..!


  10. #9
    Sheridan's Avatar
    Join Date
    Oct 2010
    Posts
    1,289
    Thank Post
    112
    Thanked 86 Times in 58 Posts
    Rep Power
    28
    It's frustrating as there is obviously only some minor corruption in the ntds.dit file but neither ntdsutil or esentutl can fix it! And it seems to be a duplicate entry causing the problem but I can't find a way around that either!

  11. #10

    Join Date
    Mar 2013
    Location
    west sussex
    Posts
    519
    Thank Post
    74
    Thanked 26 Times in 26 Posts
    Rep Power
    14
    How big is the network?

    How many users? How many PCs?

    Trashing it might not be a bad idea? (Might be quicker in the long run)

  12. #11

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,348
    Thank Post
    625
    Thanked 1,584 Times in 1,421 Posts
    Rep Power
    414
    MS may not offer support after those tools have been run according to one article I read until the domain is re-created in a supported configuration i.e rebuilt

    Ben

  13. #12
    Sheridan's Avatar
    Join Date
    Oct 2010
    Posts
    1,289
    Thank Post
    112
    Thanked 86 Times in 58 Posts
    Rep Power
    28
    I'd read that as well - besides if I have to resort to MS support then I would bet money on their solution simply be to reinstall AD.

    I might try and export everthing using ldifde and see if I can export the GPO's as well - its a network of about 50 PCs and 300 users so not massive.

  14. #13

    Join Date
    Mar 2013
    Location
    west sussex
    Posts
    519
    Thank Post
    74
    Thanked 26 Times in 26 Posts
    Rep Power
    14
    Quote Originally Posted by Sheridan View Post
    I'd read that as well - besides if I have to resort to MS support then I would bet money on their solution simply be to reinstall AD.

    I might try and export everthing using ldifde and see if I can export the GPO's as well - its a network of about 50 PCs and 300 users so not massive.
    i did this a few years back as fixing the broken ad wasn't worth the time, i wrote a small program in c# to export all the users and walked round and rejoined all the machines to the domain (although you could probably do this with psexec and netdom join ) recreated the GPOs.

    does the native GPMC let you export GPOs ? i think i AGPM does.

  15. #14
    kevin_lane's Avatar
    Join Date
    Mar 2007
    Location
    Derby
    Posts
    505
    Thank Post
    23
    Thanked 20 Times in 20 Posts
    Blog Entries
    5
    Rep Power
    19
    Just out of interest what does event viewer say also. Have you thought about moving the dns to a different server

    Only thing I would be also worried about is if you put in another dc whats not to say it copies the corrupted data across

    Also what was the last thing you did on the dc

  16. #15

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,348
    Thank Post
    625
    Thanked 1,584 Times in 1,421 Posts
    Rep Power
    414
    What about firing up a new domain controller in a new domain and using netdom to move over the computer accounts?

    Netdom move

    For user accounts

    Migrating All User Accounts

    Ben

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Odd problem with program stuck in task bar
    By NikChillin in forum Windows 7
    Replies: 3
    Last Post: 13th June 2011, 12:59 PM
  2. Odd problem with local profiles
    By Gatt in forum Windows 7
    Replies: 3
    Last Post: 30th September 2010, 09:37 AM
  3. Problems with AD CS on 2008 r2
    By sch in forum Windows Server 2008 R2
    Replies: 4
    Last Post: 17th March 2010, 12:50 PM
  4. odd problem with home shares
    By djdohboy in forum Windows
    Replies: 9
    Last Post: 4th September 2008, 07:00 PM
  5. Odd Problem with Logon Box (XP)
    By Gatt in forum Windows
    Replies: 11
    Last Post: 28th September 2007, 01:38 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •