MORE INFORMATION
The situation that is discussed in this article is encountered when Windows 2000-based domain controllers replicate many schema changes (anywhere from hundreds to thousands) while they concurrently reload the schema cache. During this period, critical data may be deleted from the Active Directory database (Ntds.dit) that can make the domain controller unable to function. This situation (which can act like a bug) can occur if strict timing conditions and schema extension size dependencies are favorable.
If the domain controller can be restarted and it is functional in Active Directory mode after the replication of schema changes, the domain controller functions properly and is unaffected by the data deletion. In this situation, you can apply the recommendations from the "Preventing Data Deletion in Active Directory" section of this article to these domain controllers.
If a domain controller encounters data deletion from Active Directory, the domain controller logs a unique set of events and becomes non-functional. When you restart the computer, Active Directory cannot load and logs a second set of unique events. Each of these scenarios is discussed in detail in this article.
Events Are Logged When the Data Is Deleted
Domain controllers that have deleted the data from Active Directory as a
result of the situation that is described in the Summary section of this article, but have not restarted the computer can experience the following symptoms and events:
- The Windows 2000 domain controller does not process the service requests for network authentication.
- Inbound or outbound replication of all Active Directory naming contexts are stopped.
- Critical Active Directory services, such as, Intersite Messaging, Kerberos Key Distribution Center, and NetLogon, seem to be running, but none of the Windows 2000 administration tools start. This behavior includes the Active Directory User and Computers (Dsa.msc) and Site and Services (Dssites.msc) snap-ins.
- An Event ID 1185 with the following attributes is logged in the Directory Service event log:
Event Type: Information
Event Source: NTDS General
Event Category: Internal Processing
Event ID: 1185
Date: MM/DD/YY
Time: HH:MM:S A.M./P.M.
User: Everyone
Computer: Dcname
Description:
Deleted unneeded index ? (Internal ID XXXXX). For more information, see Help and Support Center at http://support.microsoft.com.
The log activity may cause events of interest to "scroll" out of the event log. Restart the domain controllers if you suspect that data deletion has occurred.
- If you suspect that data deletion has occurred on any Windows 2000 domain controller, proceed to the "Recovering from Deleted Data" section of this article.
Events Logged During Restart as a Result of Data Deletion
Domain controllers that have deleted critical data from Active Directory as a result of this bug can fail to boot into Active Directory, and log a unique set of events in the process:
Event Type: Information
Event Source: Program Popup
Event Category: None
Event ID: 26
Date: MM/DD/YYYY
Time: HH:MM:SS A.M./P.M.
User: N/A
Computer: Computername
Description:
Program popup: lsass.exe - System Error : Security Accounts Manager initialization failed because of the following error: Directory Service cannot start. Error Status: 0xc00002e1. Please click OK to shutdown this system and reboot into Directory Services Restore Mode, check the event log for more detailed information.
For more information, see Help and Support Center at http://support.microsoft.com.
NOTE: The Event ID 26 and 0xc000002e1 exception is a generic error that is logged when Windows 2000 domain controllers are unable to boot in Active Directory mode or access the Ntds.dit or log files.
Event Type: Error
Event Source: NTDS General
Event Category: Internal Processing
Event ID: 1168
Date: MM:DD:YY
Time: HH:MM:SS A.M./P.M.
User: Everyone
Computer: Computer name
Description: Error 131174(XXXXX) has occurred (Internal ID 31c08a1).
Please contact Microsoft Product Support Services for
assistance.
Event Type: Error
Event Source: NTDS Database
Event Category: Internal Processing
Event ID: 1168
Date: MM:DD:YY
Time: HH:MM:SS A.M./P.M.
User: N/A
Computer: Computer name
Description: Error -1507(fffffa1d) has occurred (Internal ID 202022d).
Please contact Microsoft Product Support Services for
assistance.
Event Type: Error
Event Source: NTDS General
Event Category: Internal Processing
Event ID: 1168
Date: MM:DD:YY
Time: HH:MM:SS A.M./P.M.
User: Everyone
Computer: Computer name
Description: Deleted unneeded index ? (Internal ID XXXX).
NOTE:
The "XXXX" string in the first event ID 1168 message refers to column identifiers that are missing in the Active Directory database.
The "-1507" string in the second event ID 1168 message is a jet database error that indicates that the Active Directory database is missing one or more columns.
If you suspect that data deletion has occurred on any Windows 2000 domain controller, proceed immediately to the "Recovering from Deleted Data" section of this article.
Recovering from Deleted Data
If the Directory Service and System event logs on a running or restarted domain controller indicate that objects have been deleted from an Active Directory database on one or more domain controllers, contact Microsoft Product Support for additional information, at the following Microsoft Web site:
Preventing Data Deletion in Active Directory
Individual Windows 2000 domain controllers are not susceptible to the timing sensitive deletion of Active Directory objects if one of the following conditions is true (before the introduction of schema changes to the forest, or the data deletion affects a given domain controller):
- A WINSE 11972 hotfix is installed. (The Ntdsa.dll file is dated September 18, 2000.)
- A hotfix that contains an updated Ntdsa.dll file that is derived from the WINSE 11972 fix is installed. (The Ntdsa.dll file is dated after September 18, 2000.)
- Windows 2000 Service Pack 2 (SP2) is installed.
Domain controllers, and implicitly the forest, are protected when they all contain one of the preceding three conditions.
Because the first and second conditions protect Windows 2000 domain controllers from column deletion, the immediate deployment of Windows 2000 SP2 is not a strict requirement to avoid this bug (on servers that already contain the hotfix mentioned in the preceding first and second conditions). However, Windows 2000 SP2 contains this and other significant fixes that can improve the reliability of Windows 2000 domain controllers.
Microsoft recommends that customers install Windows 2000 SP2 and the WINSE 18593 hotfix on all Windows 2000 domain controllers as soon as possible. More information on the WINSE 18593 hotfix is available on the following Microsoft Web site:
For additional information, click the article number below
to view the article in the Microsoft Knowledge Base:
299687 Function Exposed by Using LDAP over SSL Could Enable Passwords to Be Changed
: The WINSE 18593 hotfix is tested and supported on installations of Windows 2000 that run Service Pack 1 (SP1) or SP2.
Regardless of which option you choose, you must install the software that can resolve the problem on properly functioning domain controllers, and you must use the following priority:
- A single domain controller in each domain in the forest. Begin with the forest root.
- All remaining domain controllers in the root domain of the forest.
- All remaining domain controllers in the forest.
Even though the hotfixes and Service Packs that are discussed in this article can prevent the data deletion problem from occurring, they do not provide relief to domain controllers when they become affected, so recent system-state backups from at least one properly functioning domain controller in every domain in the forest can become critical to the recovery scenario.
The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.