When you have a server problem, you want answers—fast. A reader named Dave sent the following email message to me, and I asked two of our AD and Windows Server 2003 experts to help him. Turns out, he'd already emailed them for help as well. I thought you might be interested in seeing what they suggested he do. Of course, our Forums are also a great place for finding help with problems. We employ Forum Pros, experts in their fields, specifically to answer your questions there. To check out all of our Forums, click the link on our home page or go to http://forums.windowsitpro.com
We have 2 servers on our network. The one is a Windows 2003 Server, which is the primary domain controller. The other is a Windows 2000 Server, which is the “other,” or secondary, domain controller. The Windows 2003 server pretty much handles everything for the most part, like DNS, DHCP, etc. The Windows 2000 server is our old server that we just left to be used as the Print Server. Anyways, the thing that happened yesterday was the Windows 2000 server had to be rebooted. Then, while it was starting up, I got a dialog box with the following error message:
“lsass.exe-System Error: Security Accounts Manager initialization failed because of the following error: Directory Service cannot start. Error Status: 0xc00002e1. Please click OK to shutdown this system and reboot into Directory Services Restore Mode, check the event log for more detailed information.”
Once you click OK, the server reboots again. I cannot even get to a login prompt. I tried to even start in Safe Mode but got to the same point. Now, there is another startup option when you hit F8 that you can go into. It is called Directory Services Restore Mode. This is a Safe Mode type of thing, but you can use it to troubleshoot your problem. Directory Services Restore Mode (DSRM) is a special boot mode. It is used to log on to the computer when Active Directory has failed or needs to be restored. I clicked this and actually got to a login prompt. The problem is you need a password, and I don’t have it.
The Directory Services Restore Mode password is different from the (domain) local administrator's password and is used to logon to a Windows Server Domain Controller in an offline state (Directory Services Restore Mode or Safe mode).
I think somehow the Active Directory database (Ntds.dit) on this machine got corrupted, or something happened with replication from the other server, but if I can’t even get into that Restore mode, I cannot even look at it. I tried booting from the Server 2000 disc, but it won’t boot, or even run through it. I created Windows 2000 Server boot up floppies, but I keep getting the same error. I can’t even get to a command prompt to try anything. What should I do next, any suggestions? What is causing this problem and how do I fix it. I don’t want to take down the network. Thanks very much for your help.
Directory services restore mode is when you need to restore elements of the active directory or the entire database, which is what it’s saying it wants you to do. The password it wants is the directory services restore password, which you set when you ran dcpromo to make it a domain controller.
If you can’t boot the box and you don’t have the recovery password you could try one of the “locksmith” type utilities to reset the local admin password but unless you have lots on it, maybe just rebuild it and dcpromo it back to a DC?
Shoot the bad server and rebuild it. DCs are replaceable (if all they have on them are DC functions).