Thursday 26 February 2015

How to recover data from a NT4 volume set

How to recover data from a NT4 volume set
recently the boot disk of a NT4 server at work failed. The system reported missing files and wouldn't come up properly.
A colleaugue of mine tried a NT4 repair install from the original NT4 SP1 CD.
That fixed the operating system, but as we had no emergency repair floppy, the config details were lost.
The box had three scsi drives, with the first one DISK0 (having two NTFS partitions) as the boot drive. NT4's hard disk manager only found two disks with unknown partitions.
As I had no idea what we were up against, I booted a Knoppix CD and looked at the file system types, which were:

0x87 on DISK1 and 0x86 on DISK2.

Information on fs-type 87 and 86 on the web were a bit shaky, but it seemed like these two disks might have been part of volume set. Mounting any of the drives in Knoppix didn't work, even when explicitly telling mount to use NTFS.
One of our developers confirmed that the server had „a big e-drive“. That sounded like our volume set.
Someone found an old NT4 Server resource kit in the basement while searching for a NT4 server cd. This came really handy:
With the „ftedit“ program from the resource kit, I could see that the server didn't have any information about the volume set. The manual in the resource kit said that these details are stored in:

HKEY_LOCAL_MACHINE/SYSTEM/DISK

I then discovered a SYSTEM._ file in the WINNT/REPAIR directory which I expanded to a file on a floppy disk. Opening that file on an other machine with a freeware „offline registry viewer“ (MiTeC Registry File Viewer), I exported the DISKS key to a .reg file and imported that key back into the nt4 server.
After a reboot the disk manager showed the two drives (DISK1 DISK2) as a volume set.
The same could have been achieved with ftedit manually. Ftedit only manipulates the registry. It doesn't touch the disks as such. So the risk is relatively low.
A drive letter „E“ was attached to the volume, but the file system type still read „unknown“ in the disk admin tool.
I then installed Service Pack 6a, because I thought NT4SP1 couldn't recognize the partition type. Although it didn't fix the problem, it is certainly a good idea to do so.
After some more research (read: goooooooogling), I found the last missing clue here:

http://support.microsoft.com/?scid=kb%3Ben-us%3B131658&x=4&y=17

The ftdisk service in the device manager had to be set to start with the system.
Even starting it manually from the control panel immediately brought back the missing E-drive.
Obviously the fresh OS-install had not started that service as no fancy disk configs were made from that installation.

Lesson learned: create emergency repair disks for all remaining NT4 servers (rdisk)

No comments:

Post a Comment