Active Directory services fails to start during boot up of a Windows 2003 server after successful restore using Backup Exec System Recovery (BESR)

Problem

Active Directory services fails to start during boot up of a Windows 2003 server after successful restore using Backup Exec System Recovery (BESR)

Error Message

LSASS.EXE, Security Account Manager initialization failure, Directory services cannot start

Solution

Active Directory uses a "tombstone lifetime" date to determine how long Active Directory objects are good for, to allow replication to a restored Domain Controller.  If the recovery point image is older then 60 days, Active Directory will not be able to initialize when the server is started up, due to this "tombstone lifetime" date parameter having been exceeded.  The first step in troubleshooting is to verify the System BIOS reflects the current date and time. If the date and time is not set correctly the server will not boot up after a successful restore due to the LSASS.EXE error.

If restoring an image older than the 60 day tombstone life, the system time can be set back to make the Operating System believe that the current date was now less then the 60 day time period.   This action allows the server to complete it's boot up process.  This is only a workaround and not a supported method.

Once the server is in a normal running state, the system time can then be set back to the current time.  Side effects of taking this type of action can cause problems with applications that make use of time stamps for tracking purposes, like Microsoft Exchange, for example.

Best practice guidelines, per Microsoft recommend that regular backup jobs be run to ensure that update to date copies of the Active Directory database are available for restore purposes, thus avoiding the problem with Active Directory becoming "aged" out.  

Note:  Service Pack 2 from Microsoft reduced the time out date from 180 days to 60 days, which was the case with Support Pack 1.  For more information, review the following Microsoft Knowledge Base Article:

Useful shelf life of a system-state backup of Active Directory

Terms of use for this information are found in Legal Notices.

Search

Survey

Did this article answer your question or resolve your issue?

No
Yes

Did this article save you the trouble of contacting technical support?

No
Yes

How can we make this article more helpful?

Email Address (Optional)