No announcement yet.

Best approach with dealing with a DC with LSASS error

  • Filter
  • Time
  • Show
Clear All
new posts

  • Best approach with dealing with a DC with LSASS error

    Hi...I need some advice on how to deal with a domain controller that appeared with an error message.

    The error message:

    lsass.exe - System Error : Security Accounts Manager initialization failed because of the following error: Directory Service cannot start. Error Status: 0xc00002e1. Please click OK to shutdown this system and reboot into Directory Services Restore Mode, check the event log for more detailed information.

    Basic Info

    The server is basically a brand new HP ML350 G5, running 4 GB RAM on a single Quad-core CPU. Drive layout has a RAID 1 for the OS (C: drive) and the RAID 5 for the remaining drives that hold the AD (D: Drive). Free space is about 500 GB for the AD partition.

    This is a Windows 2003 SP2 R2 (x86) OS, with MS patches through January. This server is a GC and DNS box. It held a couple additional roles, but have been migrated to other hardware. In addition, there are additional healthy domain controllers within the domain and none has experienced this issue.

    Since this DC was on the other side of the country and a small office, user authentication, DNS, etc was handled by the corporate office. I had the office manager shutdown the DC until I could get onsite.

    Now, I'm onsite. The server has been down for just over a month, however, less than the 60 day tombstone lifetime.

    I was able to login in DSRM. I ran through most of the items in KB 258062.

    In short:

    1) the permissions are correct
    2) I attempted to run "Ntdsutil files integrity", but errored out with the message, "Could not initialize the Jet Engine: Jet error -501 Failed"
    3) I also tried "ntdsutil sem d a" and it also failed with the same error.
    4) I also attempted an offline defragmentation, but that resulted in an error.
    5) I'm considering a dcpromo /forceremoval and rebuilding the server from scratch.

    There isn't a backup for the server (not that I was considering using it anyhow) and will not consider a lossy repair (no point).

    The server has been disconnected from the network while I was attempting to diagnose the cause of the original issue (still a work in-progress).

    This is my first dealing with a failed DC (bound to happen).

    I'm looking for suggestions on the best course of action.

    Thanks for reading.

  • #2
    Re: Best approach with dealing with a DC with LSASS error

    As you don't have a system state backup, and since it doesn't seem to be very time critical, I would indeed try to force a demote, clean the metadata properly, and re-promote it.

    Should be quick and easy unless that site is connected by a slow line and your domain is huge, in which case you might want to bring the data over from another DC..
    VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah