Monday, 2 March 2009

LSASS.EXE - System Error / Rebuilding Active Directory Indices. When booting windows server 2003

LSASS.EXE - System Error, security accounts manager initialization failed because of the following error: Directory Services cannot start. Error status 0xc00002e1.

I know everyone's scenario's when seeing this message are pretty varied but I found a nice way to fix this within an hour providing you have a similar setup.

In my particular case I had two servers an SBS 2000 (oh dear I hear you cry) and a Standard Server 2003 running SP1. The 2K3 machine was rebooted and upon reboot we were presented with the above error.

So to fix try the following:

1. Reboot the 2K3 server into "Directory Services Restore Mode" then logon to the machine locally, in my case I didnt know the restore password (results of taking on machines from other support companies.)

-If this is the case go onto the second server, right click "my computer" and select manage, within the new window, right click the "Computer Management" header and then click connect to another computer, you can then connect to the server you can't log into and reset the local admin password.

2. So first things first now your into the server you need to check the database files, go to start, run, and type "cmd" to open a command shell. The type the following:
ntdsutil files info
You should see similar the below:

Drive Information:

C:\ NTFS (Fixed Drive ) free(533.3 Mb) total(4.1 Gb)

DS Path Information:

Database : C:\WINDOWS\NTDS\ntds.dit - 10.1 Mb
Backup dir : C:\WINDOWS\NTDS\dsadata.bak
Working dir: C:\WINDOWS\NTDS
Log dir : C:\WINDOWS\NTDS - 42.1 Mb total
temp.edb - 2.1 Mb
res2.log - 10.0 Mb
res1.log - 10.0 Mb
edb00001.log - 10.0 Mb
edb.log - 10.0 Mb


You need to make sure that these files exist and the directory is there before you continue.

3. You can now do an integrity check by typing the following:
ntdsutil files integrity if you get an error here then continue, otherwise try a reboot and it should fix the issue.

4. Next check is a semantic check, do this using the following command:
ntdsutil "sem d a" go
If this fails however try the following:
ntdsutil "sem d a" "go f"

5. Try a defragment:
5a - Type 'ntdsutil'
5b - Type 'compact to "c:\TMP"'
If defragmentation succeeds without errors, follow the Ntdsutil.exe on-screen instructions. Delete all the log files in the log directory by typing the following command:
del drive C:\ pathToLogFiles \*.log
Copy the new Ntds.dit file over the old Ntds.dit file in the current Active Directory database path that you noted in step 2.

Note You do not have delete the Edb.chk file.
Restart the computer normally.



I personally still had issues at this point, with the server refusing to access these files with JET errors. So from that point had to do the following:

6. Modify the following Registry key entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions

In the right-pane, double-click ProductType. Type ServerNT in the Value data box, and then click OK.
This will make the server a member server, reboot and log on locally to continue.

7. Once booted, you now have to simply run dcpromo from the command line and make a test fresh domain. I used testdomain.deleteme again once this process is complete, reboot.

8. You have now got your self a domain controller again, simply run dcpromo again to uninstall AD services from this new DC and once again reboot.

9. Finally if this applies, use ADSI edit to rip out the domain controller from Active Directory on the other server and then run dcpromo to join the server back to the existing domain.

Doing it this way, I lost no data and all security permissions were retained within the folder structure - My method was constructed using a variety of the below links and other sources, it may or may not apply to your circumstance but your answer will be in there somewhere if not.

Did I solve your problem? Buy me a virtual beer by clicking on a Google ad :). Thanks!




Additional Links:
KB 258062 - NTDS Util Checks

KB 232122 - Performing Offline Defragment

KB 332199 - Force Demoting a Domain Controller

KB 332199 - How to remove data in Active Directory after an unsuccessful domain controller demotion

15 comments:

  1. Thank you so very much for this. It just saved our bacon!

    ReplyDelete
  2. Thanks Kris it worked out great for us!

    ReplyDelete
  3. Great summary! Checking the .DIT consistency worked for us without needing to demote and promote. Thanks for sharing!

    ReplyDelete
  4. Thank you very much..

    ReplyDelete
  5. AD Restory mode doesn't boot for us either...goes to a non-responding Safe-Mode display.

    ReplyDelete
  6. How do you reset the local admin password on a DC? Active Directory deletes local users and groups when promoting a server to a DC.

    ReplyDelete
  7. If you connect via Computer Management remotely you will see a local admin account you can use...otherwise and in other circumstances I have been on with Microsoft who will walk you through safe mode reset of the NTFS local user.

    ReplyDelete
  8. I tried but showing a Access denied for the local users & groups,services,logs etc. in the Second server when connect to the first server using computer management.

    ReplyDelete
  9. This would help if you have a backup of NTDS. recovery within 5 mintes

    http://ezref.info/security+accounts+manager+initialization+failed+%3A+Error++0xc00002e1.html

    ReplyDelete
  10. Thanks helped confirmed the route although after nothing but errors using "DS recovery mode" I tried booting on a fresh XP disk and running from "CMD"
    1. esentutl /g "\ntds.dit"
    2. esentutl /g "\ntds.dit"
    3 Move or Delete log files
    Restart server ok and or restart in "DS recovery mode" an follow the above ntdsutil 1- 5b to confirm clean bill of health
    I have also done the esentut from USB/CD WinPE bootable devices
    JR

    ReplyDelete
  11. Great many thanks for the info even in microsoft cannot found info like this i only do step 6 n everything done

    ReplyDelete
  12. Kris
    Quick question, after doing step 6 everything came back up. Do I need to now connect th server to the actual network and dcpromo? If so then should I also create a fictious domain and make my server a DC then dcpromo again to knock it down and insert it into the domain?

    ReplyDelete
    Replies
    1. If you get to step 6 and everything is working ok, you can finish the procedure here. I had to continue in my scenario as AD still wasn't functioning correctly.
      Kris

      Delete
  13. Kris
    Great Thanks. i continued with the procedures but now I noticed that all my user accts are done and the admin profile changed. Was that supposed to happen because I also somehow lost a few containers (OU). I can create them but I was wondering if that is expected.

    Thanks
    Ken

    ReplyDelete
  14. Thank you very much

    ReplyDelete