SP2 hotfixes recommended before making schema changes in Active Directory forests

This article describes a rare situation that can make a Windows 2000-based domain controller non-functional after schema changes are made.

Even though this situation is rare, Microsoft recommends that administrators follow the steps in the "Preventing Data Deletion in Active Directory" section of this article on all Windows 2000 domain controllers before they add schema extensions to an Active Directory forest.

Programs that can add schema extensions to Active Directory include:

• Microsoft Exchange 2000 Server
• Microsoft Internet Security and Acceleration (ISA) Server 2000 Enterprise Edition
• Microsoft Mobile Information 2001 Server
• Third-party products, such as, SAP and PeopleSoft

The situation that is discussed in this article is encountered when Windows 2000-based domain controllers replicate many schema changes (anywhere from hundreds to thousands) while they concurrently reload the schema cache. During this period, critical data may be deleted from the Active Directory database (Ntds.dit) that can make the domain controller unable to function. This situation (which can act like a bug) can occur if strict timing conditions and schema extension size dependencies are favorable. If the domain controller can be restarted and it is functional in Active Directory mode after the replication of schema changes, the domain controller functions properly and is unaffected by the data deletion. In this situation, you can apply the recommendations from the "Preventing Data Deletion in Active Directory" section of this article to these domain controllers.

If a domain controller encounters data deletion from Active Directory, the domain controller logs a unique set of events and becomes non-functional. When you restart the computer, Active Directory cannot load and logs a second set of unique events. Each of these scenarios is discussed in detail in this article.

Events Are Logged When the Data Is Deleted

Domain controllers that have deleted the data from Active Directory as a result of the situation that is described in the Summary section of this article, but have not restarted the computer can experience the following symptoms and events:

• The Windows 2000 domain controller does not process the service requests for network authentication.
• Inbound or outbound replication of all Active Directory naming contexts are stopped.
• Critical Active Directory services, such as, Intersite Messaging, Kerberos Key Distribution Center, and NetLogon, seem to be running, but none of the Windows 2000 administration tools start. This behavior includes the Active Directory User and Computers (Dsa.msc) and Site and Services (Dssites.msc) snap-ins.
• An Event ID 1185 with the following attributes is logged in the Directory Service event log:
  Event Type: Information Event Source: NTDS General Event Category: Internal Processing Event ID: 1185 Date: MM/DD/YY
  Time: HH:MM:S A.M./P.M.
  User: Everyone
  Computer: Dcname
  Description: Deleted unneeded index ? (Internal ID XXXXX). For more information, see Help and Support Center at http://support.microsoft.com.
  The log activity may cause events of interest to "scroll" out of the event log. Restart the domain controllers if you suspect that data deletion has occurred.
  
  
• If you suspect that data deletion has occurred on any Windows 2000 domain controller, proceed to the "Recovering from Deleted Data" section of this article.

Events Logged During Restart as a Result of Data Deletion

Domain controllers that have deleted critical data from Active Directory as a result of this bug can fail to boot into Active Directory, and log a unique set of events in the process: NOTE: The Event ID 26 and 0xc000002e1 exception is a generic error that is logged when Windows 2000 domain controllers are unable to boot in Active Directory mode or access the Ntds.dit or log files. NOTE:
The "XXXX" string in the first event ID 1168 message refers to column identifiers that are missing in the Active Directory database.

The "-1507" string in the second event ID 1168 message is a jet database error that indicates that the Active Directory database is missing one or more columns.

If you suspect that data deletion has occurred on any Windows 2000 domain controller, proceed immediately to the "Recovering from Deleted Data" section of this article.

Recovering from Deleted Data

If the Directory Service and System event logs on a running or restarted domain controller indicate that objects have been deleted from an Active Directory database on one or more domain controllers, contact Microsoft Product Support for additional information, at the following Microsoft Web site:

Preventing Data Deletion in Active Directory

Individual Windows 2000 domain controllers are not susceptible to the timing sensitive deletion of Active Directory objects if one of the following conditions is true (before the introduction of schema changes to the forest, or the data deletion affects a given domain controller):

1. A WINSE 11972 hotfix is installed. (The Ntdsa.dll file is dated September 18, 2000.)
2. A hotfix that contains an updated Ntdsa.dll file that is derived from the WINSE 11972 fix is installed. (The Ntdsa.dll file is dated after September 18, 2000.)
3. Windows 2000 Service Pack 2 (SP2) is installed.

Domain controllers, and implicitly the forest, are protected when they all contain one of the preceding three conditions.

Because the first and second conditions protect Windows 2000 domain controllers from column deletion, the immediate deployment of Windows 2000 SP2 is not a strict requirement to avoid this bug (on servers that already contain the hotfix mentioned in the preceding first and second conditions). However, Windows 2000 SP2 contains this and other significant fixes that can improve the reliability of Windows 2000 domain controllers.

Microsoft recommends that customers install Windows 2000 SP2 and the WINSE 18593 hotfix on all Windows 2000 domain controllers as soon as possible. For additional information, click the article number below to view the article in the Microsoft Knowledge Base: NOTE: The WINSE 18593 hotfix is tested and supported on installations of Windows 2000 that run Service Pack 1 (SP1) or SP2. Regardless of which option you choose, you must install the software that can resolve the problem on properly functioning domain controllers, and you must use the following priority:

• A single domain controller in each domain in the forest. Begin with the forest root.
• All remaining domain controllers in the root domain of the forest.
• All remaining domain controllers in the forest.

Even though the hotfixes and Service Packs that are discussed in this article can prevent the data deletion problem from occurring, they do not provide relief to domain controllers when they become affected, so recent system-state backups from at least one properly functioning domain controller in every domain in the forest can become critical to the recovery scenario. The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.