SBS 2003 Active Directory Restore

I was tasked a few months ago to P2V a few windows servers that were part of a small domain for a small doctors practice.  That practice had merged with the Hospital I work for a few years back and they kept their old Physical servers with their domain and EMR system on them to access the EMR for historical patient records.

Well... needless to say the hardware started approaching 8 years of age and failing on one of the servers.  We wanted to virtualize them into our VMware infrastructure in our secure datacenters.  Now I have done a lot of P2V's in my day of servers as VMware became the standard and old systems needed to be kept around, or otherwise simplified.  I have NEVER had a P2V corrupt Active Directory in a domain controller.

I proceeded to take an image of all three servers using an older version of Acronis True Image that I had hanging around.  The servers were a terminal server, the EMR server and the SBS 2003 server.  All are part of a domain that is controlled by the SBS 2003 server.  The users in this practice on the Hospital LAN access the terminal server which is where we installed their EMR application.  They are authenticating to that terminal server via the SBS 2003 server.  Needless to say, I took hot images of all three servers and everything went fine.  Even the P2V of the servers using VMware's converter tool worked like a champ.  The terminal server booted fine, and the EMR server booted fine.  However, the SBS 2003 server booted with the following: security accounts manager initialization failed directory service cannot start

I was a little worried at this point.  I tried numerous things that are pretty typical.  Booted into safe mode... same error.  I did a quick google search and everything came back in the results as a corrupted Active directory.  I was sitting OK however, because the old Physical servers were still running.  But they were ticking time bombs.

I thought: "perhaps I should take a cold image (boot to a disc so windows is not running) and take an image that way so the AD database is not changing like it can during a hot image.  I started this process only to have the power go out on us 2 hours into the 4 hour process.  So I put on my big boy boots and started to go down the road of restoring AD without a backup.

I spent several hours pouring through Microsoft documentation, tech net articles and forums to get the help I needed.  I came up with a mixture of a few solutions.  Here are the steps that ended up working for me, because I was getting errors in Active Directory restore mode pertaining to the Jet Database.

1. Restart the server and press F8 key, select Directory Services restore mode.
2. Log in with the local administrator username and password
3. Type: cd \windows\system32
4. Type: NTDSUTIL
5. Type: files
6. If you encounter an error stating that the Jet engine could not be initialized exit out of ntdsutil.
7. Type: cd\
8. Type: md backupad
9. Type: cd \windows\ntds
10. Type: copy ntds.dit c:\backupad
11. Type: cd \windows\system32
12. Type: esentutl /g c:\windows\ntds\ntds.dit
13. This will perform an integrity check, (the results indicate that the jet database is corrupt)
14. Type: esentutl /p   c:\windows\ntds\ntds.dit
15. Agree with the prompt
16. Type: cd \windows\ntds
17. Type: move *.log c:\backupad   (or just delete the log files)

This should complete the repair.  To verify that the repair has worked successfully:

1. Type: cd \windows\system32
2. Type: ntdsuti
3. Type: files   (you should no longer get an error when you do this)
4. Type: info   (file info should now appear correctly)

One final step, not sure if it’s required:

From the NTDSUTIL command prompt:

1. Type: Semantic Database Analysis
2. Type: Go

There you go!  Hopefully nobody has to use this article as server 2003 is almost at End of Life, but I know that there will be instances where some legacy applications will Keep Windows 2003 in datacenters for many more years.