Corrupt OU in Active Directory

-

we've taken on site 2008 r2 server appears corrupt ou in ad, , i'm looking advice on how remove ou.

when attempting open ou in aduc error message displayed stating "data users not available domain controller xxx because: operations error occured." (the corrupt ou named 'users').

attempting open ou in asdi edit, error message displayed stating "operation failed. error code: 0x80072020 operations error occured.

attempting delete ou in asdi edit displayes error message: "operation failed. error code: 0x20ef directory service encountered unknown failure. 000020ef: svcerr: dsid-02080f91, problem 5012 (dir_error), data -1017"

also on server, on attempting open gpmc message displayed stating "the system cannot open device or file specified.", , reapeated when attempting view gpo. in settings tab every gpo displayed "an error occurred while generating report: operations error occured."
gp settings can viewed in gp editor.

everything else appears working ok, there no warning or critical events in system or application event logs.

this dc in domain, , there no backups being taken fix restore not possible.

the directory service log has repeated 2008 , 1262 events shown below:

log name:      directory service
source:        microsoft-windows-activedirectory_domainservice
date:          26/03/2013 14:38:36
event id:      1262
task category: internal processing
level:         error
keywords:      classic
user:          anonymous logon
computer:      srv-01.cxxx.local
description:
security descriptor propagation task not process propagation event starting following container.
 
container:
ou=users,ou=_cxx xxx,dc=cxxxx,dc=local
 
result, security descriptor propagation task either suspend processing thirty minutes or wait until security descriptor has changed object.
 
user action
check security descriptor on container.
 
additional data
error value:
fffffc07 []
event xml:
<event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <system>
    <provider name="microsoft-windows-activedirectory_domainservice" guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" eventsourcename="ntds general" />
    <eventid qualifiers="49152">1262</eventid>
    <version>0</version>
    <level>2</level>
    <task>9</task>
    <opcode>0</opcode>
    <keywords>0x8080000000000000</keywords>
    <timecreated systemtime="2013-03-26t14:38:36.489263200z" />
    <eventrecordid>9392</eventrecordid>
    <correlation />
    <execution processid="644" threadid="856" />
    <channel>directory service</channel>
    <computer>srv-01.cxxx.local</computer>
    <security userid="s-1-5-7" />
  </system>
  <eventdata>
    <data>fffffc07</data>
    <data>ou=users,ou=_cxx xxx,dc=cxxx,dc=local</data>
    <data>[]</data>
  </eventdata>
</event>

log name:      directory service
source:        microsoft-windows-activedirectory_domainservice
date:          26/03/2013 14:38:36
event id:      2008
task category: internal processing
level:         error
keywords:      classic
user:          n/a
computer:      srv-01.cxxx.local
description:
internal error: security descriptor propagation task encountered error while processing following object. propagation of security descriptors may not possible until problem corrected.
 
object:
(n/a)
 
additional data
error value:
-1017 jet_errrecorddeleted, record has been deleted
internal id:
20801d4
event xml:
<event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <system>
    <provider name="microsoft-windows-activedirectory_domainservice" guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" eventsourcename="ntds general" />
    <eventid qualifiers="49152">2008</eventid>
    <version>0</version>
    <level>2</level>
    <task>9</task>
    <opcode>0</opcode>
    <keywords>0x8080000000000000</keywords>
    <timecreated systemtime="2013-03-26t14:38:36.426863100z" />
    <eventrecordid>9391</eventrecordid>
    <correlation />
    <execution processid="644" threadid="856" />
    <channel>directory service</channel>
    <computer>srv-01.cxxx.local</computer>
    <security />
  </system>
  <eventdata>
    <data>-1017</data>
    <data>jet_errrecorddeleted, record has been deleted</data>
    <data>20801d4</data>
    <data>(n/a)</data>
  </eventdata>
</event>

hi - see 2 possibile issues (most common i've seen related this)

  • the object (the "users" organization unit) or 1 or more child objects deleted database appears in index - offline defragmentation of database can solve this.

  • the object (the "users" organization unit) has 1 or more child objects missing madatory information in columns 'obj_col' or 'del_time' - semantic database analysis can solve this

  • the object (the "users" organization unit) or 1 or more child objects missing security descriptor - single instane storage id, or reference id has been deleted 'sd_table' - semantic database analysis can solve this

i suggest first perform offline defragmention of datbase , then run semantic database analysis 'go fixup' switch:

perform offline defragmention of database, please follow link below, have restart domain controller in directory services restore mode:
http://technet.microsoft.com/en-us/library/cc794920(ws.10).aspx

perform semantic database analysis fixup, have restart domain controller in directory services restore mode:

  1. in directory services restore mode, open command prompt.

  2. type following command , press enter:

    ntdsutil:

  3. at ntdsutil: promot type act inst ntds , press enter.

  4. at ntdsutil: prompt, type semantic database analysis , press enter.

  5. at semantic checker: prompt, type verbose on , press enter.

  6. at semantic checker: prompt, type go fixup , press ente

if dosen't , if want, can troubleshoot offline, require access 'ntds'dit' file, understand if not possible may contain confidential information - secrets , passwords can filtred out perform rodc ifm copy: http://technet.microsoft.com/en-us/library/cc816574(v=ws.10).aspx

enfo zipper
christoffer andersson – principal advisor
http://blogs.chrisse.se - directory services blog






Windows Server  >  Directory Services



Comments

Post a Comment

Popular posts from this blog

WIMMount (HSM) causing cluster storage to go redirected (2012r2 DC)

-
looking options resolve error , prevent in future. thanks help. hardware: 2 node dell hv cluster running2012r2 dc 8 nic/ea in multiplex mode 4x hyper-v 4x hosts storage: 2x synology nas, accessed through iscsi hosts , cluster relevant logs: log name:      microsoft-windows-failoverclustering/diagnostic source:        microsoft-windows-failoverclustering date:          event id:      2050 task category: none level:         warning keywords:       user:          system computer:      l description: [dcm] filter wimmount found @ unsafe altitude 180700 log name:      system source:        microsoft-windows-failoverclustering date:         event id:      5125 task category: cluster shared volume level:         warning keywords:       user:          system computer: description: cluster shared volume 'volume1' ('cluster disk 1') has identified 1 or more active filter drivers on device stack interfere csv operatio
Read more

Failed to delete the test record dcdiag-test-record in zone test.com

-
ps c:\users\administrator.test> dcdiag /test:dns directory server diagnosis performing initial setup:    trying find home server...    home server = dc02    * identified ad forest.    done gathering initial info. doing initial required tests    testing server: default-first-site-name\dc02       starting test: connectivity          ......................... dc02 passed test connectivity doing primary tests    testing server: default-first-site-name\dc02       starting test: dns          dns tests running , not hung. please wait few minutes...          ......................... dc02 passed test dns    running partition tests on : forestdnszones    running partition tests on : domaindnszones    running partition tests on : schema    running partition tests on : configuration    running partition tests on : test    running enterprise tests on : test.com       starting test: dns          test results domain
Read more

Azure MFA with Azure AD and RDS

-
i have setup following lab in azure , need help. a server (domain controller) , remote desktop services. and server multi factor authentication server. i have setup following one http://www.rdsgurus.com/uncategorized/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/ and when im connecting got following error. the user "domain\username", on client computer "xxx.xxx.xxx.xxx", did not meet connection authorization policy requirements , therefore not authorized access rd gateway server. authentication method used was: "ntlm" , connection protocol used: "rpc-http". following error occurred: "23003". also on security log i've got following authentication details: connection request policy name: ts gateway authorization policy network policy name: - authentication provider: radius proxy authentication server: test.test.local authentication type: - eap t
Read more