Corrupt DC

Archived from groups: microsoft.public.win2000.active_directory (More info?)

After a power failure the partition with NTDSlogs directory was corrupt for
a DC.
After fixing a new partition for that we runned ntdsutil and as we can see
everything looks ok (auth restore/recover/integrity-commands return
errorcode=0), but when rebooting into normal state it ends up with popup
about that lsass could not start->ok=reboot.
Have tried to copied NTDS-database/logs from another DC (same domain) with
same result.
Maybe some command in ntdsutil we missed, but I cannot find what it could
be.

Any idea about what to do?

Cannot run dcpromo to demote it from DC when booting into AD restore mode.
Is it possibly to force a server out of its "DC-believing" another way and
by that way re-promote it as DC?
2 answers Last reply
More about corrupt
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Henrik,

    This is not an easy process if it's the first time you've done it. First,
    you need to do a metadata cleanup on a functional DC, preferably the PDC
    emulator. See KB article 216498. This takes all the information about the
    corrupt DC out of AD.

    Next step is to boot the corrupt DC into AD Restore mode, and change the
    value at

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions\ProductType

    from LanmanNT to ServerNT. Now the DC thinks it's a member server and will
    boot into windows normally. At this point the machine thinks it's a member
    server but it's still carrying all the backage from being a DC, the sysvol,
    netlogon, etc. Disjoin the machine from your domain, DCPromo it up to a dummy
    domain, such as mydomain.com, just make sure this has nothing to do with your
    current domain, demote it gracefully and it will clear out the sysvol,
    netlogon, etc. Now rejoin it to your domain as a member server and DCPromo it
    back into your current domain.

    Sounds like fun, doesn't it?


    "Henrik Johansson" wrote:

    > After a power failure the partition with NTDSlogs directory was corrupt for
    > a DC.
    > After fixing a new partition for that we runned ntdsutil and as we can see
    > everything looks ok (auth restore/recover/integrity-commands return
    > errorcode=0), but when rebooting into normal state it ends up with popup
    > about that lsass could not start->ok=reboot.
    > Have tried to copied NTDS-database/logs from another DC (same domain) with
    > same result.
    > Maybe some command in ntdsutil we missed, but I cannot find what it could
    > be.
    >
    > Any idea about what to do?
    >
    > Cannot run dcpromo to demote it from DC when booting into AD restore mode.
    > Is it possibly to force a server out of its "DC-believing" another way and
    > by that way re-promote it as DC?
    >
    >
    >
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Thanks for the info.
    I try that out later.
    /Henrik

    "kevw" <kevw@discussions.microsoft.com> wrote in message
    news:35AE47FA-DD52-484D-8313-5BF3EE9688E2@microsoft.com...
    > Henrik,
    >
    > This is not an easy process if it's the first time you've done it.
    First,
    > you need to do a metadata cleanup on a functional DC, preferably the PDC
    > emulator. See KB article 216498. This takes all the information about the
    > corrupt DC out of AD.
    >
    > Next step is to boot the corrupt DC into AD Restore mode, and change the
    > value at
    >
    >
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions\ProductTy
    pe
    >
    > from LanmanNT to ServerNT. Now the DC thinks it's a member server and will
    > boot into windows normally. At this point the machine thinks it's a member
    > server but it's still carrying all the backage from being a DC, the
    sysvol,
    > netlogon, etc. Disjoin the machine from your domain, DCPromo it up to a
    dummy
    > domain, such as mydomain.com, just make sure this has nothing to do with
    your
    > current domain, demote it gracefully and it will clear out the sysvol,
    > netlogon, etc. Now rejoin it to your domain as a member server and DCPromo
    it
    > back into your current domain.
    >
    > Sounds like fun, doesn't it?
    >
    >
    > "Henrik Johansson" wrote:
    >
    > > After a power failure the partition with NTDSlogs directory was corrupt
    for
    > > a DC.
    > > After fixing a new partition for that we runned ntdsutil and as we can
    see
    > > everything looks ok (auth restore/recover/integrity-commands return
    > > errorcode=0), but when rebooting into normal state it ends up with popup
    > > about that lsass could not start->ok=reboot.
    > > Have tried to copied NTDS-database/logs from another DC (same domain)
    with
    > > same result.
    > > Maybe some command in ntdsutil we missed, but I cannot find what it
    could
    > > be.
    > >
    > > Any idea about what to do?
    > >
    > > Cannot run dcpromo to demote it from DC when booting into AD restore
    mode.
    > > Is it possibly to force a server out of its "DC-believing" another way
    and
    > > by that way re-promote it as DC?
    > >
    > >
    > >
Ask a new question

Read More

Partition Active Directory Windows