After an emergency shutdown of a physical server with an Active Directory domain controller role, the BSOD with an error stop code 0x00002e2 appears on boot. The error points out that the Active Directory database (NTDS.DIT) is damaged. In this article, we will figure out how to fix the ntds.dit file and start a domain controller (in our case, it is a server running Windows Server 2019).
In previous Windows Server versions, the same error has the following message:
STOP c000002e2 Directory Services could not start because of the following error:
A device attached to the system is not functioning.
Error Status: 0xc0000001
Please shutdown this system and reboot into Directory Services Restore Mode, check the event log for more detailed information.
Therefore, Windows Server with the ADDS domain controller role won’t boot with the error 0xc00002e2. After three server restarts, it will automatically boot to WinRE recovery mode (or press F8 at boot). Your task is to run Windows in the Directory Service Repair Mode (DSRM).
Select Startup Settings -> Restart.
Select Directory Services Repair Mode in the advanced boot options.
In the DSRM mode, you can log in with a local administrator account. The only local account in the domain controller is the DSRM administrator. You set its password when you install the ADDS domain controller role on your server (SafeModeAdministratorPassword).
After getting to the DC desktop, open a command prompt. First, make sure that all directory service files and folders are in place.
Run the commands below:
NTDSUTIL
activate instance ntds
Files
InfoCheck that the directory with the NTDS file (by default, C:\Windows\NTDS) and the ntds.dit file are located on the default paths and have not been deleted.
Check the integrity of the AD database:
integrity
In my case, the command returns that the NTDS database was corrupted:
Could not initialize the Jet engine: database is inconsistent.
Failed to open DIT for AD DS/LDS instance NTDS. Error -2147418113
You can fix the AD database file with the esentutl tool. The tool is well-known for Exchange administrators. Back up the contents of the NTDS folder first:
mkdir c:\ntds_bak
xcopy c:\Windows\NTDS\*.* c:\ntds_bakCheck the integrity of ntds.dit:
esentutl /g c:\windows\ntds\ntds.ditThe tool has detected that the database is damaged:
The database is not up-to-date. This operation may find that this database is corrupted because data from the log files has not yet to be placed in the database.
To ensure the database is up-to-date please use the Recovery operation.
Integrity check completed. Database is CORRUPTED.
Try to fix errors in the database using this command:
esentutl /p c:\windows\ntds\ntds.ditIf the errors have been fixed, you will see the following message:
Operation completed successfully in xx seconds.
Check the integrity using
esentutl /gIntegrity test successful.
Run the semantic database analysis to ensure semantic database consistency as well.
Run the semantic database analysis using ntdsutil:
ntdsutil
activate instance ntds
semantic database analysis
goIf any semantic errors are found, run the command below to fix them:
go fixup
Then compress ntds.dit:
activate instance ntds
files
compact to C:\Windows\NTDS\TEMPReplace the original ntds.dit file:
copy C:\Windows\NTDS\TEMP\ntds.dit C:\Windows\NTDS\ntds.ditDelete all log files from the NTDS folder:
Del C:\Windows\NTDS\*.logRestart the server in normal mode. Make sure that ADDS services have started and the domain controller is reachable over the network. Check the domain controller health and Active Directory replication state.
If nothing helps, restore the domain controller from a backup. If there is no backup, you will have to remove the ADDS role in the DSRM and force remove the old DC account from Active Directory. Then run sysprep and deploy a new domain controller.