Restoring an old Small Business Server 2008 backup: beware expired Active Directory

Seemingly tricky problems sometimes have simple solutions – but you have to find them first.

So it was with this one. I was asked to recover some emails from Small Business Server, from a backup that was about six months old. This SBS runs on Hyper-V using a proven backup system and I decided to restore onto a test system just to recover the emails. All went well until the first boot. The restored SBS went into a reboot cycle. Trying safe mode revealed the error:

STOP: c00002e2 Directory Services could not start because of the following error: A device attached to the system is not functioning. Error Status: 0xc0000001

The suggested fix for this is to boot into Directory Services Restore Mode. In my case this was not possible, because after the first failure the VM booted into Windows Error Recovery mode which does not offer Directory Services Restore Mode. Rather than try to get round this, I simply restored the server again, and took a snapshot before the first boot so I would not have to do so again.

I could now get into Directory Services Restore Mode, though note that you need to log on as .\administrator using the password set when SBS 2008 was installed. I tried some of the steps here with little success. The suggested ntdsutil commands did not work. I had to activate an instance, which by the way is ntds, and then got a message saying the operation failed because the system was in Directory Services Restore Mode and to try rebooting. I knew what the result would be.

In other words, I was getting nowhere. Then I found a user with a similar problem. The reason: Active Directory will not restore if it is older than the “tombstone lifetime”. This is nicely explained here. It is to do replication. Active Directory is designed to replicate between domain controllers, which means it has to keep a record of deleted items. If a particular instance is older than the tombstone lifetime, it could not replicate safely, hence the error message.

Well, kind-of. Note that the error message says, “A device attached to the system is not functioning”. If only it could have said, “Active Directory is too old”, that would have saved some time. Note also that SBS is often the sole domain controller, making the problem irrelevant. Note further that in my case I did not care a jot about replication, since all I needed was some emails.

Still, it gave me an easy solution. Just set the date back in Hyper-V and reboot. Everything worked fine.

In the end it did not cost me too much time, and doing this stuff in Hyper-V while getting on with your work during the slow bits is a lot more fun than when using real systems.

I do find it interesting though how these simple problems can surface as bewildering errors that lead you through a maze of obscure technical documents before you find the simple solution.