Domain Controller Crashes on Boot with Stop Code 0xc00002e2 / Windows / Windows Server / Domain Controller Crashes on Boot with Stop Code 0xc00002e2

After an emergency shutdown of a physical server with an Active Directory domain controller role, the BSOD with an error stop code 0x00002e2 appears on boot. The error points out that the Active Directory database (NTDS.DIT) is damaged. In this article, we will figure out how to fix the ntds.dit file and start a domain controller (in our case, it is a server running Windows Server 2019).

Domain Controller boot error: stop code 0x00002e2

In previous Windows Server versions, the same error has the following message:

STOP c000002e2 Directory Services could not start because of the following error:
A device attached to the system is not functioning.
Error Status: 0xc0000001
Please shutdown this system and reboot into Directory Services Restore Mode, check the event log for more detailed information.

Therefore, Windows Server with the ADDS domain controller role won’t boot with the error 0xc00002e2. After three server restarts, it will automatically boot to WinRE recovery mode (or press F8 at boot). Your task is to run Windows in the Directory Service Repair Mode (DSRM).

Select Startup Settings -> Restart.

Select Directory Services Repair Mode in the advanced boot options.

Boot Windows Server DC in Directory Services Repair Mode

In the DSRM mode, you can log in with a local administrator account. The only local account in the domain controller is the DSRM administrator. You set its password when you install the ADDS domain controller role on your server (SafeModeAdministratorPassword).

After getting to the DC desktop, open a command prompt. First, make sure that all directory service files and folders are in place.

Run the commands below:

activate instance ntds

Check that the directory with the NTDS file (by default, C:\Windows\NTDS) and the ntds.dit file are located on the default paths and have not been deleted.

Check the integrity of the AD database:


ntds.dit database is inconsistent

In my case, the command returns that the NTDS database was corrupted:

Could not initialize the Jet engine: database is inconsistent.
Failed to open DIT for AD DS/LDS instance NTDS. Error -2147418113

You can fix the AD database file with the esentutl tool. The tool is well-known for Exchange administrators. Back up the contents of the NTDS folder first:

mkdir c:\ntds_bak
xcopy c:\Windows\NTDS\*.* c:\ntds_bak

Check the integrity of ntds.dit:

esentutl /g c:\windows\ntds\ntds.dit

The tool has detected that the database is damaged:

The database is not up-to-date. This operation may find that this database is corrupted because data from the log files has not yet to be placed in the database.
To ensure the database is up-to-date please use the Recovery operation.
Integrity check completed. Database is CORRUPTED.

esentutl ntds.dit database is CORRUPTED

Try to fix errors in the database using this command:

esentutl /p c:\windows\ntds\ntds.dit

If the errors have been fixed, you will see the following message:

Operation completed successfully in xx seconds.

esentutl fix ntds.dit error

Check the integrity using

esentutl /g

Integrity test successful.

Run the semantic database analysis to ensure semantic database consistency as well.

esentutl ntds.dit Integrity test successful

Run the semantic database analysis using ntdsutil:

activate instance ntds
semantic database analysis

If any semantic errors are found, run the command below to fix them:

go fixup

ntdsutil go fixup

Then compress ntds.dit:

activate instance ntds
compact to C:\Windows\NTDS\TEMP

Replace the original ntds.dit file:

copy C:\Windows\NTDS\TEMP\ntds.dit C:\Windows\NTDS\ntds.dit

Delete all log files from the NTDS folder:

Del C:\Windows\NTDS\*.log

Restart the server in normal mode. Make sure that ADDS services have started and the domain controller is reachable over the network. Check the domain controller health and Active Directory replication state.

If nothing helps, restore the domain controller from a backup. If there is no backup, you will have to remove the ADDS role in the DSRM and force remove the old DC account from Active Directory. Then run sysprep and deploy a new domain controller.

Leave a Reply

Your email address will not be published. Required fields are marked *