Our company has a large Windows Server
2003 Active Directory (AD) environment.
Recently I noticed that a domain controller
(DC) in one of our branch offices was
reporting AD errors. Past experience told
me that the errors were most likely due to
data corruption in the AD database.
The steps you’d typically follow to fix the
problem would be to boot into Directory
Services Restore Mode and use the Ntdsutil
tool to check the database’s integrity. However,
the problematic DC was in Sydney,
Australia, and it was after hours there, so
no one was available locally to help me
troubleshoot. My only access to the DC was
through Windows Server 2003 Terminal
Services.
To access Directory Services Restore
Mode, you typically press F8 prior to the
machine booting into Windows, then
select the Directory Services Restore
Mode option from the menu that
appears. Obviously, this wasn't possible,
but a colleague reminded me of a neat
workaround. If you modify the boot.ini
file, you can restart the server in Directory
Services Restore Mode so that you don’t
lose the connection when the DC
restarts.
Here are the steps you can follow to
get into Directory Services Restore Mode
remotely through RDP and run the Ntdsutil
tool:
1. On your machine, select Run from
the Start menu, type Mstsc /console, and
click OK.
2. Type the IP address or Fully Qualified
Domain Name (FQDN) of the server you
want to connect to.
3. Log on to the server using the Active
Directory account.
4. On the DC, select Run from the Start
menu, type sysdm.cpl, and click OK.
5. On the Advanced tab, click Settings
in the Startup and Recovery section.
6. Click Edit. This opens the boot.ini file
in Notepad.
7. Add the following line to the end of
the boot.ini file:
/SAFEBOOT:DSREPAIR
Save and close the boot.ini file.
8. Reboot the server.
9. After waiting a few minutes, perform
steps 1 and 2 again.
10. When you reconnect, the server
should state that it’s in safe mode. Log on
using the Local Administrator account (not
the Active Directory account).
11. Open a command prompt window,
type Ntdsutil, and press Enter.
12. Type Files and press Enter.
13. Type Integrity and press Enter. Windows
will examine the database and will let
you know the outcome.
14. After you’re done with Ntdsutil, type q and press Enter to exit
Files. Type q and press Enter
again to exit Ntdsutil.
15. Before rebooting,
it’s important that you
change the boot.ini file
so that the DC boots
in normal mode. Open
boot.ini by repeating
steps 4 through 6.
Remove the last line
(/SAFEBOOT:DSREPAIR) that you added
earlier. Save and close the boot.ini file.
16. Restart the DC.
Fortunately for us, the integrity check
came back OK. Just having the database
offline and running the Integrity command
fixed our problem. If you’re not as fortunate,
some file management commands that
you might find useful are Recover, Repair,
and Compact to %s. You’ll need to do some
research on these commands before using
them. Besides typing ? at the command
prompt to access the tool’s Help file, you
can check out the Microsoft articles
“Managing Active Directory Files” (www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsfl_
utl_wgzt.mspx?mfr=true) and “Ntdsutil”
(technet2.microsoft.com/windowsserver/en/library/91559a2b-b666-442c-bdd2-df4b7c46983c1033.mspx?mfr=true).
—Stefan Fagerholm, enterprise AD
administrator, Milliman
End of Article
)
)
Register
ashers2008 August 27, 2008 (Article Rating: