Fix: Active directory corrupted (NTDS ISAM Database Corruption errors in eventlog)

It worked for me!

Frank Keunen

IT-Pro Evangelist :: Microsoft IT Infrastructure Engineer

Follow the procedure below to fix Microsoft Active Directory database problems (corrupted Active Directory due to e.g memory issues/disk problems):

1. Reboot the server and press F8. Choose Directory Services Restore Mode from the Menu.

2. Check the physical location of the Winnt\NTDS\ folder.

3. Check the permissions on the \Winnt\NTDS folder. The default permissions are: Administrators Full Control System Full Control

4. Check the Winnt\Sysvol\Sysvol folder to make sure it is shared.

5. Check the permissions on the Winnt\Sysvol\Sysvol share. The default permissions are: Share Permissions: Administrators Full Control Authenticated Users Full Control Everyone Read NTFS Permissions: Administrators Full Control Authenticated Users Read & Execute, List Folder Contents, Read Creator Owner none Server Operators Read & Execute, List Folder Contents, Read System Full Control Note: You may not be able to change the permissions on these folders if the Active Directory database is unavailable because it is damaged, however it is best to know if the permissions are set correctly before you start the recovery process, as it may not be the database that is the problem.

6. Make sure there is a folder in the Sysvol share labeled with the correct name for their domain.

7. Open a command prompt and run NTDSUTIL to verify the paths for the NTDS.dit file. These should match the physical structure from Step 2. To check the file paths type the following commands: Start a command prompt NTDSUTIL Files Info The output should look similar to: Drive Information: C:\ NTFS (Fixed Drive) free (2.9 Gb) total (3.9 Gb) D:\ NTFS (Fixed Drive) free (3.6 Gb) total (3.9 Gb) DS Path Information: Database : C:\WINNT\NTDS\ntds.dit 10.1 Mb Backup dir: C:\WINNT\NTDS\dsadata.bak Working dir: C:\WINNT\NTDS Log dir : C:\WINNT\NTDS 30.0 Mb total res2.log 10.0 Mb res1.log 10.0 Mb edb.log 10.0 Mb This information is pulled directly from the registry and mismatched paths will cause Active Directory not to start. Type Quit to end the NTDSUTIL session.

8. Rename the edb.chk file and try to boot to Normal mode. If that fails, proceed with the next steps.

9. Reboot into Directory Services Restore mode again. At the command prompt, use the ESENTUTL to check the integrity of the database. NOTE: You can use NTDSUTIL to check the Integrity, however esentutl is usually more reliable. Type the following command: ESENTUTL /g \NTDS.dit /!10240 /8 /v /x /o (Note: Type the path without the quotes). Note: The default path would be C:\Winnt\NTDS\ntds.dit; however it may be different in some cases. The output will tell you if the database is inconsistent and may produce a jet_error 1206 stating that the database is corrupt. If the database is inconsistent or corrupt it will need to be recovered or repaired . To recover the database type the following at the command prompt: NTDSUTIL Files Recover If this fails with an error, type quit until back at the command prompt and repair the database using ESENTUTL by typing the following: ESENTUTL /p \NTDS.dit /!10240 /8 /v /x /o (Note: Type the path without the quotes). Note: If you do not put the switches at the end of the command you will most likely get a Jet_error 1213 Page size mismatch error.

10. Delete the log files in the NTDS directory, but do not delete or move the ntds.dit file.

11. The NTDSUTIL tool needs to be run again to check the Integrity of the database and to perform a Semantic Database analysis. To check the integrity, at the command prompt type: NTDSUTIL Files Integrity The output should tell you that the integrity check completed successfully and prompt that you should perform a Semantic Database Analysis. Type quit. To perform the Semantic Database Analysis type the following at the NTDSUTIL Prompt type: Semantic Database Analysis Go The output will tell you that the Analysis completed successfully. Type quit and closes the command prompt. NOTE: If you get errors running the Analysis then type the following at the semantic checker prompt: semantic checker: go fix This puts the checker in Fixup mode, which should fix whatever errors there were.

12. Reboot the server to Normal Mode. If any of these steps fail to recover the database the only alternative is to perform an Authoritative System State restore from backup in Directory Services Restore mode. For more information, please refer to the following articles: 315136 HOW TO: Complete a Semantic Database Analysis for the Active Directory http://support.microsoft.com/?id=315136 265706 DCDiag and NetDiag in Windows 2000 Facilitate Domain Join and DC Creation http://support.microsoft.com/?id=265706 258007 Error Message: Lsass.exe System Error : Security Accounts Manager http://support.microsoft.com/?id=258007 265089 Event 1168: Windows 2000 DCs Unable to Boot into Active Directory http://support.microsoft.com/?id=265089 315131 HOW TO: Use Ntdsutil to Manage Active Directory Files from the Command http://support.microsoft.com/?id=315131 BR Frank


July 25th, 2011 4:13pm

Hi,

Thanks for your sharing and the detailed information on how you fixed the problem.

This solution will benifit other users who come to see this thread. If you have any questions in the future, you're welcomed to this forum.

Regards,
Bruce

 

Free Windows Admin Tool Kit Click here and download it now
July 29th, 2011 8:04pm

Carlos, sry but its difficult to understand or read the post, it would be better if you can format the post in a readable format.

 

Regards  

July 30th, 2011 9:25am

Hello,

i agree with Awinish about the readable format here and so here is the link to the original article:

http://www.digitalforensics.be/blog/?s=Follow+the+procedure+below+to+fix+Microsoft+Active+Directory+database+problems+%28c

Free Windows Admin Tool Kit Click here and download it now
July 30th, 2011 8:44pm

Thank you Meinolf.

 

Regards

July 30th, 2011 10:23pm

thnks for this info .. sure help full in some cases...
Free Windows Admin Tool Kit Click here and download it now
April 20th, 2012 10:29am

Frank: This procedure (with some variations required for my environment) worked perfectly. Thank you very much.

To other readers: The procedure works, but it is a loaded gun. Be careful and methodical.

The specifics of my situation, which I offer as additional information, are:
Windows Server 2003 R2 Standard Edition SP2 with all updates.
One server, 20 clients; of course the server is the domain controller.

I suggest running the command prompt window at an elevated security level ("run as:", followed by unchecking the "restricted" box).
I also suggest changing directories to C:\WINNT\NTDS or C:\WINDOWS\NTDS, as appropriate.

Variations:
The location of the NTDS folder is C:\WINDOWS\NTDS for an install that is not an upgrade from Server 2000.
Step 9 -- the parameters for ESENTUTL are different. For the integrity check I used "ESENTUTL /g NTDS.DIT /8" as the other parameters are not available.
Also in step 9 -- For the repair step that was required I used "ESENTUTL /p NTDS.DIT /8". There was a window warning of a possible data loss, which clicking OK cleared.
Step 11 -- NTDSUTIL FILES INTEGRITY works properly without change. However, the Semantic Database Analysis check cannot be run in a single command. I used "NTDSUTIL SEMANTIC DATABASE ANALYSIS" followed by "GO" at the next prompt. The database analysis does not report a positive result, but if there is no warning the database passes the analysis. To be certain I ran the "GO FIX" step anyway, which gave identical output.

After this procedure the system started perfectly. I recommend this procedure as the answer to the problem.

  -- E. R. Quinones


August 26th, 2012 6:41pm

you have done good work but it is readable and also not going in the mind..

but for this problem goinng to Active directory restore mode and doing a restoring of ADS with a backup will make the thing ok .........

Please provide a clear file of the same 

thank you 

Free Windows Admin Tool Kit Click here and download it now
September 22nd, 2012 11:58am

This saved my @$$ last night. Thank you VERY much!
October 6th, 2012 6:58pm

thank you very Much  Carlos Fafetine

Faisal Shaheen

Free Windows Admin Tool Kit Click here and download it now
March 25th, 2013 12:32pm

Absolute life-saver!  It's frustrating that the MS KB article doesn't suggest deleting the log files, as that was the trick.  I was to the point of considering creating a new domain before I found this.

Thank you for sharing it.

Tony


April 19th, 2013 10:03pm

In total agreeance with last response.

Spending over 10 long painful days trying to help a firend out with their server build 9yrs ago (which they just enter daya and never do maintenance) the HDD corrupted with bad sectors and performing a chkdsk, scan, etc brought me to the lsass.exe Directory Services Recovery stage.

I read several hundred links (not a server guy, mainly desktop) I came across this article and followed to the letter (although was getting an invalid switch for /v, /x, /o (so left these out) and now backup operational.

This gives more time to understand my friends system and needs to replace the hardware (server only P4 1gb RAM, wunning W2k# Small Business Server) and bring them nto the new world.

Thanks again for publishing this article and bringing others back from terranova.

Cheers

Adam

Free Windows Admin Tool Kit Click here and download it now
April 24th, 2013 5:37pm

I have broken the response up to help read this.

-- 
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com    Twitter @pbbergs
http://blogs.dirteam.com/blogs/paulbergson

Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

April 24th, 2013 6:57pm

Yay!  I agree with tmancill - step 10 did it for me!  Now I'm off to make sure my system state backup works properly in future...  Many thanks Frank.

Free Windows Admin Tool Kit Click here and download it now
June 14th, 2013 5:38pm

HELP!!

I had this problem and started to run through the fix above, unfortunately I got to Step 8 and went for the reboot into normal mode.

Now all I get is a cyclic reboot, I can't boot into anything including Directory Services Restore Mode.

Does anyone know how I can get back into the system to continue through the fix?

We're running a Dell PowerEdge SC440 using Raid 1

Thanks for any advice in advance.

Terry


July 12th, 2013 4:47am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics