Microsoft KB Archive/265089

= Event 1168: Windows 2000 DCs Unable to Boot into Active Directory =

Article ID: 265089

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q265089





SUMMARY
This article describes &quot;Event ID 1168&quot; error messages that are logged on a Windows 2000 domain controller (DC) that is unable to boot from the Active Directory database.

The &quot;Event ID 1168&quot; error message is a generic error message that is logged when Windows DCs experience either of the following conditions:
 * Resource shortages and &quot;out of version store&quot; conditions in Active Directory.
 * Inability to boot from the Active Directory database.

The 1168 events that are logged during resource utilization and version-store shortages have the following attributes:

Event Type: Error Event Source:  NTDS SDPROP Event Category: Internal Processing Event ID:        1168 Date:      MM/DD/YYYY Time:      HH:MM:SS AM|PM User:      N/A Computer: Description:     Error -1069(fffffbd3) has occurred (Internal ID d0006fc). Please contact Microsoft Product Support Services for assistance.

Event Type: Warning Event Source:  NTDS General Event Category: (9) Event ID:        1519 Date:      MM/DD/YYYY Time:      HH:MM:SS AM|PM User:      NT AUTHORITY\SYSTEM Computer: Description:     A Directory Service operation failed because the database has run out of version storage. If this error repeats frequently it most likely indicates that an object that is too large for the Directory Service to handle is attempting to replicate in. This object must be deleted or shrunk on a                  Directory Server where it already exists. The internal id is 202073c.

The &quot;version storage&quot; event 1168 has a different root cause and appearance than the 1168 that is logged when DCs are unable to boot from the Active Directory.

As of April, 2001, the following three root causes of the 1168 boot errors are known:
 * 1) Insufficient permissions to obtain access to the Ntds.dit file and log files.
 * 2) Unscheduled loss of power that can cause the Ntds.dit file or log files to become un-readable (jet error 550).
 * 3) Columns that have been deleted from the jet database updating-schema cache when inbound schema changes are replicated.

These scenarios and suggested action plans are described in more detail in the &quot;More Information&quot; section of this article. For additional information about the latest service pack for Windows 2000, click the article number below to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack



Scenario 1: Insufficient Permission for the OS to Access the NTDS.DIT and Log Files
This behavior occurs because explicit or inherited NTFS permissions on the folder that contains the Active Directory database files and log files (or on their parent folders) are too restrictive. Events logged include:

Event Type: Warning Event Source:  NTDS General Event Category: (9) Event ID:        1168 Date:      MM/DD/YYYY Time:      HH:MM:SS AM|PM User:      NT AUTHORITY\SYSTEM Computer: Description:     Error: 1032 (fffffbf8) has occurred. (internal ID 4042b). Please contact Microsoft product support services for assistance.

Event Type: Warning Event Source:  NTDS General Event Category: (9) Event ID:        1103 Date:      MM/DD/YYYY Time:      HH:MM:SS AM|PM User:      NT AUTHORITY\SYSTEM Computer: Description:     The windows directory services database could not be                   initialized and returned error 1032. Unrecoverable error, the directory can't continue.

To resolve this issue:
 * 1) Restart the DC into Directory Services Restore mode by pressing F8 when the initial boot menu is displayed.
 * 2) Select the Directory Services Restore Mode option for the appropriate installation of Windows.
 * 3) Verify that the Administrator and System accounts on the %SystemRoot%\Ntds folder have the following permissions:
 * 4) * Administrators (Full Control)
 * 5) * System (Full Control)

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

258062 &quot;Directory Services cannot start&quot; error message when you start your Windows-based or SBS-based domain controller

Scenario 2: Windows 2000 DC Reboots Because of Unscheduled Power Loss
An unplanned loss of power (such as a rolling power outage) on a running Windows 2000 DC can prevent Active Directory from reading either the NTDS.DIT or log files on next boot. This problem is characterized by the following events:

Event Type: Error Event Source:  NTDS ISAM Event Category: Logging/Recovery Event ID:        100 Date:      MM/DD/YY Time:      HH:MM:SS AM|PM User:      N/A Computer Description:     NTDS (308) The database engine 6.00.3940.0004 started.

Event Type: Error Event Source:  NTDS General Event Category: Internal Processing Event ID:        455 Date:      MM/DD/YY Time:      HH:MM:SS AM|PM User:      N/A Computer: Description:   NTDS (308) Error -1811 occurred while opening a log file %4.

Event Type: Error Event Source:  NTDS General Event Category: Internal Processing Event ID:        1168 Date:      MM/DD/YY Time:      HH:MM:SS AM|PM User:      N/A Computer: Description:     Error -1811(fffff8ed) has occurred (Internal ID 4042b). Please contact Microsoft Product Support Services for assistance.

The 1811 error in the Event IDs 455 and 1168 map to jet errors that indicate that the specified file is missing or unreadable. The symbolic name for the 1811 from ESENT.H is:

#define JET_errPermissionDenied   -1809 /* Permission denied */
 * 1) define JET_errFileNotFound       -1811 /* File not found */
 * 2) define JET_wrnFileOpenReadOnly   -1813 /* Database file is read only */

Recovery methods in order of preference:
 * 1) Rename the Edb.chk file. When Active Directory boots, it checks the integrity of the DIT file and log. If problems are encountered, a &quot;soft recovery&quot; is attempted. During soft recovery (or immediately afterwards), the 2195 release of Windows 2000 creates a log file without any attached information in the log file header.

To resolve the problem, delete (although it is safer to rename, then delete once you are able to boot) the Edb.chk checkpoint file. Reboot the DC in normal Active Directory mode.


 * 1) Perform a non-authoritative restoration of a recent (but newer than tombstonelifetime), SYSTEM STATE backup. Upon bootup, Active Directory will source current Schema, Configuration and Domain Naming contexts from available replication partners.
 * 2) Reinstall the operating system on the failed computer. Remove the failed computer from the forest, and then run Dcpromo.exe to add the computer back to the forest. Remove NTFRS member objects from the SYSTEM folder for deleted servers. Rebuilding the domain controller may well be considered a better solution than the preceding solution because the DC can be built with deterministic results in a deterministic amount of time.

For additional information about how to remove a computer from the forest, click the article number below to view the article in the Microsoft Knowledge Base:

216498 Removing Active Directory Data After an Unsuccessful Demotion

Scenario 3: Columns Deleted from Jet Database that Is Updating Schema Cache When Inbound Schema Changes Are Replicated
Symptoms you may experience:
 * The Windows 2000 DC no longer services requests for network authentication.
 * Inbound or outbound replication of all Active Directory naming contexts has stopped.
 * Critical Active Directory services including InterSite Messaging, Kerberos Key Distribution Center and NETLOGON appear to be running but none of the Windows 2000 administration tools start. This includes the Active Directory User and Computers (Dsa.msc) snap-in, Site and Services (Dssites.msc) snap-in, Ldp.exe, Netdiag.exe and Dcdiag.exe.

This scenario is discussed in more detail in the following MKSB article:

303077 SP2 hotfixes recommended prior to making schema changes in AD forests

Keywords: kbhotfixserver kbqfe kbenv kberrmsg kbinfo KB265089

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.