LSASS.EXE – System Error / Rebuilding Active Directory Indices. When booting windows server 2003


LSASS.EXE – System Error, security accounts manager initialization failed because of the following error: Directory Services cannot start. Error status 0xc00002e1.

I know everyone’s scenario’s when seeing this message are pretty varied but I found a nice way to fix this within an hour providing you have a similar setup.

In my particular case I had two servers an SBS 2000 (oh dear I hear you cry) and a Standard Server 2003 running SP1. The 2K3 machine was rebooted and upon reboot we were presented with the above error.

So to fix try the following:

1. Reboot the 2K3 server into “Directory Services Restore Mode” then logon to the machine locally, in my case I didnt know the restore password (results of taking on machines from other support companies.)

-If this is the case go onto the second server, right click “my computer” and select manage, within the new window, right click the “Computer Management” header and then click connect to another computer, you can then connect to the server you can’t log into and reset the local admin password.

2. So first things first now your into the server you need to check the database files, go to start, run, and type “cmd” to open a command shell. The type the following:
ntdsutil files info
You should see similar the below:

Drive Information:

C:\ NTFS (Fixed Drive ) free(533.3 Mb) total(4.1 Gb)

DS Path Information:

Database : C:\WINDOWS\NTDS\ntds.dit – 10.1 Mb
Backup dir : C:\WINDOWS\NTDS\dsadata.bak
Working dir: C:\WINDOWS\NTDS
Log dir : C:\WINDOWS\NTDS – 42.1 Mb total
temp.edb – 2.1 Mb
res2.log – 10.0 Mb
res1.log – 10.0 Mb
edb00001.log – 10.0 Mb
edb.log – 10.0 Mb

You need to make sure that these files exist and the directory is there before you continue.

3. You can now do an integrity check by typing the following:
ntdsutil files integrity if you get an error here then continue, otherwise try a reboot and it should fix the issue.

4. Next check is a semantic check, do this using the following command:
ntdsutil “sem d a” go
If this fails however try the following:
ntdsutil “sem d a” “go f”

5. Try a defragment:
5a – Type ‘ntdsutil
5b – Type ‘compact to “c:\TMP”
If defragmentation succeeds without errors, follow the Ntdsutil.exe on-screen instructions. Delete all the log files in the log directory by typing the following command:
del drive C:\ pathToLogFiles \*.log
Copy the new Ntds.dit file over the old Ntds.dit file in the current Active Directory database path that you noted in step 2.

Note You do not have delete the Edb.chk file.
Restart the computer normally.

I personally still had issues at this point, with the server refusing to access these files with JET errors. So from that point had to do the following:

6. Modify the following Registry key entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions

In the right-pane, double-click ProductType. Type ServerNT in the Value data box, and then click OK.
This will make the server a member server, reboot and log on locally to continue.

7. Once booted, you now have to simply run dcpromo from the command line and make a test fresh domain. I used testdomain.deleteme again once this process is complete, reboot.

8. You have now got your self a domain controller again, simply run dcpromo again to uninstall AD services from this new DC and once again reboot.

9. Finally if this applies, use ADSI edit to rip out the domain controller from Active Directory on the other server and then run dcpromo to join the server back to the existing domain.

Doing it this way, I lost no data and all security permissions were retained within the folder structure – My method was constructed using a variety of the below links and other sources, it may or may not apply to your circumstance but your answer will be in there somewhere if not.

Additional Links:
KB 258062 – NTDS Util Checks

KB 232122 – Performing Offline Defragment

KB 332199 – Force Demoting a Domain Controller

KB 332199 – How to remove data in Active Directory after an unsuccessful domain controller demotion

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: