AD Disaster Recovery - ntdsutil permission denied

Archived from groups: microsoft.public.win2000.active_directory (More info?)

We have had massive crash of the HDD on our DC. there are no other DC's left
in the domain. We have gone through the disaster recovery options of
restoring the system state from backup, f8 for AD recovery mode. when we try
to run ntdsutil recover database we get a jetdbinitializefailure (or
something similiar) permission denied error (. I have checked permission of
the ntds folder, systemroot and root for Administrator and System).

Any help appreciated. Will save us hours in building a new AD.
TIA
5 answers Last reply
More about disaster recovery ntdsutil permission denied
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "" wrote:
    > We have had massive crash of the HDD on our DC. there are no
    > other DC's left
    > in the domain. We have gone through the disaster recovery
    > options of
    > restoring the system state from backup, f8 for AD recovery
    > mode. when we try
    > to run ntdsutil recover database we get a
    > jetdbinitializefailure (or
    > something similiar) permission denied error (. I have checked
    > permission of
    > the ntds folder, systemroot and root for Administrator and
    > System).
    >
    > Any help appreciated. Will save us hours in building a new AD.
    > TIA

    if you have a backup of the DC, why not just restore the system disk
    and the system state? That should do it

    --
    Posted using the http://www.windowsforumz.com interface, at author's request
    Articles individually checked for conformance to usenet standards
    Topic URL: http://www.windowsforumz.com/Active-Directory-AD-Disaster-Recovery-ntdsutil-permission-denied-ftopict401353.html
    Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1327729
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Restore crashes when restoring the resgistry hives

    "Jorge_de_Almeida_Pinto" wrote:

    > "" wrote:
    > > We have had massive crash of the HDD on our DC. there are no
    > > other DC's left
    > > in the domain. We have gone through the disaster recovery
    > > options of
    > > restoring the system state from backup, f8 for AD recovery
    > > mode. when we try
    > > to run ntdsutil recover database we get a
    > > jetdbinitializefailure (or
    > > something similiar) permission denied error (. I have checked
    > > permission of
    > > the ntds folder, systemroot and root for Administrator and
    > > System).
    > >
    > > Any help appreciated. Will save us hours in building a new AD.
    > > TIA
    >
    > if you have a backup of the DC, why not just restore the system disk
    > and the system state? That should do it
    >
    > --
    > Posted using the http://www.windowsforumz.com interface, at author's request
    > Articles individually checked for conformance to usenet standards
    > Topic URL: http://www.windowsforumz.com/Active-Directory-AD-Disaster-Recovery-ntdsutil-permission-denied-ftopict401353.html
    > Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1327729
    >
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "" wrote:
    > We have had massive crash of the HDD on our DC. there are no
    > other DC's left
    > in the domain. We have gone through the disaster recovery
    > options of
    > restoring the system state from backup, f8 for AD recovery
    > mode. when we try
    > to run ntdsutil recover database we get a
    > jetdbinitializefailure (or
    > something similiar) permission denied error (. I have checked
    > permission of
    > the ntds folder, systemroot and root for Administrator and
    > System).
    >
    > Any help appreciated. Will save us hours in building a new AD.
    > TIA

    Hi

    I would suggest you to go ahead and repromote your DC as the previous
    domain
    make sure if you want to restore the backup of the previous domain
    then you should have the same configuration of the DC as the previous
    DC
    like same domain name
    same partition space
    same drivers of other Devices

    and then restore the system state backup of the domain

    and it will work for you


    ---
    Nitin

    --
    Posted using the http://www.windowsforumz.com interface, at author's request
    Articles individually checked for conformance to usenet standards
    Topic URL: http://www.windowsforumz.com/Active-Directory-AD-Disaster-Recovery-ntdsutil-permission-denied-ftopict401353.html
    Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1331943
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    nitin,

    I've restored the crashed DC from backup, however, administrator account is
    the only allowed account to logon. I restored the C;\ drive and system state.
    All operation master roles and GC are enabled on that machine. In AD console
    I can see all the restored accounts but can't use any to login. Any idea? The
    steps I follwed to restore are:

    1. install server 2003
    2. run ntbackup to restore C:\ and system state
    3. emodify 'BurFlags' registry key since the restoration is done on
    different hardware.
    4. reboot
    5. Try to login to the restored domain using any domain account (fail).
    Login using administrator account will be accepted
    7.seize operation master roles
    8. verify GC
    9. Verify AD console accounts

    Is there any other steps I'm missing?! Help please

    "nitin" wrote:

    > "" wrote:
    > > We have had massive crash of the HDD on our DC. there are no
    > > other DC's left
    > > in the domain. We have gone through the disaster recovery
    > > options of
    > > restoring the system state from backup, f8 for AD recovery
    > > mode. when we try
    > > to run ntdsutil recover database we get a
    > > jetdbinitializefailure (or
    > > something similiar) permission denied error (. I have checked
    > > permission of
    > > the ntds folder, systemroot and root for Administrator and
    > > System).
    > >
    > > Any help appreciated. Will save us hours in building a new AD.
    > > TIA
    >
    > Hi
    >
    > I would suggest you to go ahead and repromote your DC as the previous
    > domain
    > make sure if you want to restore the backup of the previous domain
    > then you should have the same configuration of the DC as the previous
    > DC
    > like same domain name
    > same partition space
    > same drivers of other Devices
    >
    > and then restore the system state backup of the domain
    >
    > and it will work for you
    >
    >
    > ---
    > Nitin
    >
    > --
    > Posted using the http://www.windowsforumz.com interface, at author's request
    > Articles individually checked for conformance to usenet standards
    > Topic URL: http://www.windowsforumz.com/Active-Directory-AD-Disaster-Recovery-ntdsutil-permission-denied-ftopict401353.html
    > Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1331943
    >
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "" wrote:
    > nitin,
    >
    > I've restored the crashed DC from backup, however,
    > administrator account is
    > the only allowed account to logon. I restored the C; drive
    > and system state.
    > All operation master roles and GC are enabled on that machine.
    > In AD console
    > I can see all the restored accounts but can't use any to
    > login. Any idea? The
    > steps I follwed to restore are:
    >
    > 1. install server 2003
    > 2. run ntbackup to restore C: and system state
    > 3. emodify 'BurFlags' registry key since the restoration is
    > done on
    > different hardware.
    > 4. reboot
    > 5. Try to login to the restored domain using any domain
    > account (fail).
    > Login using administrator account will be accepted
    > 7.seize operation master roles
    > 8. verify GC
    > 9. Verify AD console accounts
    >
    > Is there any other steps I'm missing?! Help please
    >
    > "nitin" wrote:
    >
    > > "" wrote:
    > > > We have had massive crash of the HDD on our DC. there
    > are no
    > > > other DC's left
    > > > in the domain. We have gone through the disaster recovery
    > > > options of
    > > > restoring the system state from backup, f8 for AD
    > recovery
    > > > mode. when we try
    > > > to run ntdsutil recover database we get a
    > > > jetdbinitializefailure (or
    > > > something similiar) permission denied error (. I have
    > checked
    > > > permission of
    > > > the ntds folder, systemroot and root for Administrator
    > and
    > > > System).
    > > >
    > > > Any help appreciated. Will save us hours in building a
    > new AD.
    > > > TIA
    > >
    > > Hi
    > >
    > > I would suggest you to go ahead and repromote your DC as the
    > previous
    > > domain
    > > make sure if you want to restore the backup of the previous
    > domain
    > > then you should have the same configuration of the DC as the
    > previous
    > > DC
    > > like same domain name
    > > same partition space
    > > same drivers of other Devices
    > >
    > > and then restore the system state backup of the domain
    > >
    > > and it will work for you
    > >
    > >
    > > ---
    > > Nitin
    > >
    > > --
    > > Posted using the http://www.windowsforumz.com interface, at author's request
    > > Articles individually checked for conformance to usenet
    > standards
    > > Topic URL: http://www.windowsforumz.com/Active-Directory-AD-Disaster-Recovery-ntdsutil-permission-denied-ftopict401353.html
    > > Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1331943
    > >

    Hi,

    First, by default no body is allowed to logon to the DC.

    and if you want to allow others to logon to the DC
    then follow these steps


    click on start--> click on Run

    type dsa.msc

    do a right click on the domain controllers on the left side

    click on properties
    click on group policy tab,

    select default domain controllers policy,
    click on edit

    expand computer confuiguration
    expand windows settings
    expand security settings
    expand local policies
    click on user rights assignment

    and then on the right side
    locate "Allow logon locally"
    and then add those users whome you want to give rights to logon
    locally on the domain controller


    reboot the domain controller

    and then see if others can logon to the domain controller or not


    ----
    Nitin
Ask a new question

Read More

Data Recovery Active Directory Windows