Ошибка 2092 active directory

We have a small Windows domain with 2 Domain Controllers running Windows Server 2012.

Today I went into the Group Policy Management Console to edit the Default Domain Policy to add a few new IPs to our firewall rules.

Upon doing this, a coworker reported not being able to access file shares on our web server (on the domain) and the Primary Domain Controller.  I experienced the same issue.

Running gpupdate on a client resulted in errors for 2 Group Policy Objects, referring to 2 GUIDs not being accessible.  I went back into the
Group Policy Management Console , found those 2 GPOs, and disabled them.  1 of the GPOs was the one I had been editing, the other was unrelated.

Disabling the GPOs allowed gpupdate to work on clients, and this also restored file share functionality for some reason.

I checked the replication status and versions of the GPOs on both Domain Controllers.  Both GPOs showed one DC as still waiting on a sync.  One of the GPOs had mismatched version numbers.

I created a new GPO and let it sync, and this worked fine.  I was also able to import the settings of the original GPO and it worked.  Some time shortly after, the file shares broke again.  Disabling the offending GPO (this time it was only the Default Domain Policy) again restored the file shares.

I followed this guide: http://jackstromberg.com/2014/07/sysvol-and-group-policy-out-of-sync-on-server-2012-r2-dcs-using-dfs… Opens a new window and everything appeared to work, except I never got the 2002 Event ID in the Event Viewer.

The AD Replication Status tool showed no error.

I tried creating a new GPO again and importing the backed up settings, and things broke again.

Event Viewer reported various errors, including errors about the journal.  I performed the suggested command for the journal error (something I have encountered before), ran through the linked guide again, and disabled the offending GPO again.

File share services were back up and running.

The AD Replication Status Tool reported error 1908 («Could
not find the domain controller for this domain») for one server (the
«destination» server being the primary DC and the «source» being the
secondary DC).

I decided to let it sit and just monitor it as users need access to their files.

I checked the AD Replication Status Tool about 2 hours later and the 1908 error had disappeared.

Generating a Diagnostic Report from DFS Management shows no issues.  SYSVOL shows as normal and we don’t have any other replicated shares (we don’t actually use a DFS for use shares).  There were warnings about the frequent restarts of services, but these were due to the fact that I was restarting the servers.  The last occurrence was at the time of the last reboot of the servers.

For both domain controllers:

DCDIAG shows that both servers pass all tests except for DFSREvent (which just counts warnings/errors in the log over the past 24 hours).

REPADMIN / SHOWREPL shows5 directories/paths and they’re all listed as successful.

REPADMIN /QUEUE shows no replications queued.

NETDOM QUERY FSMO shows the PDC being Schema master, Domain naming master, PDC, RID pool manager, and Infrastructure master.

The remaining issues as I see them are:

About 45 minutes after the last restart, the primary DC logged two entries with Event ID 2092.  The secondary DC doesn’t have this event.  One is shown here (I’ve redacted our info as [SITE[ and [DOMAIN]):

Text

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role. 
 
Operations which require contacting a FSMO operation master will fail until this condition is corrected. 
 
FSMO Role: CN=Partitions,CN=Configuration,DC=[SITE],DC=[DOMAIN] 
 
User Action: 
 
1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476. 
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication. 
3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com. 
 
The following operations may be impacted: 
Schema: You will no longer be able to modify the schema for this forest. 
Domain Naming: You will no longer be able to add or remove domains from this forest. 
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts. 
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups. 
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

The Default Domain Policy GPO is still disabled.  I haven’t tried creating a new policy yet or changing other policies for fear of breaking network share services.

Both Domain Controllers have the proper time set.  In the Group Policy Management Console, if I look at the details for a GPO, both Domain Controllers say they are the baseline domain controller for this domain.  That is, on DC1 it says «DC1.SITE.domain is the baseline controller for this domain.», and on DC2 it says
«DC2.SITE.domain is the baseline controller for this domain.».  Is this relevant?

Any help would be appreciated.  I can post redacted DCDIAG or other logs as requested tomorrow, but DCDIAG and the other things I mentioned are now clean other than the DFSREvent test which just counts the number of events.

Do I need to worry about the FSMO 2092 Event on the PDC?
Should I try reimporting the Default Domain Policy GPO from a backup, or should I try creating it (or a blank/minimal GPO) from scratch first?
Any other ideas?

Thanks

Restore your computer to peak performance in minutes!

Step 1: Download and install ASR Pro

Step 2: Open the program and click on «Scan»

Step 3: Click on «Repair» to start the restoration process

Download the software to fix your PC by clicking here.

You may receive an error that says Event ID 2092 is Replication of Source ntds. There are different ways to fix this problem, so we’ll look at them shortly.

This article provides a solution to an issue that occurs when you restart an AD LDS server with FSMO roles, or restart an AD LDS instance after that server.

Applies to: Windows Server 2012 R2
Original number in the knowledge base: 2547569

Symptoms

If you restart the Active Directory Light Domain Services (AD LDS) server with the Flexible Single Master Operations (FSMO) roles, or restart the AD LDS instance on that server, you will receive a warning message regarding (Event ID 2092). in the ADAM Event Viewer for this instance. Event ID 2092 says:

Protocol name: ADAM (instance name)
Source: ADAM Replication [InstanceName]
Date:
Event ID: 2092
Task Category: Replication
Level: Warning
Keywords: classic
User: ANONYMOUS LOGIN
Computer: Computer name ADAM
Description:

This server is clearly performing the following FSMO role, but does not consider the product to be valid. For a partition that sometimes contains FSMOs, this server has definitely not been successfully replicated with none of its actual partners since restarting this server. A replication error and validation of this role prevents replication.
Operations requiring a call to the FSMO wizard will fail until this condition is resolved.

FSMO Role: CN = Diagram, CN = Configuration, CN = 95B93FA0-93B9-4E54-A654-0D55F5CF9E4B

User response:

1. Initial sync is a fairly early replication, done at multiple levels, just like in the beginning. Failure of the initial synchronization may cause the FSMO role to be not guaranteed. This process is explained in KB 305476.
2. This server has one or more replication partners and replication will definitely fail for all of these married couples. Use the repadmin / showrepl command to view replication errors. Correct the questionable error. For example, there may be problems with IP connectivity, DNS name or resolution, security authentication, which often prevents successful replication.
3. In the normal case where all replication partners actually fail, you should expect To give the expected event, perhaps due to maintenance work or recovering from frustration and inconvenience, you can force the operation to be checked. This can be done automatically using NTDSUTIL.EXE to claim the role of the same system. This can be done by following the steps in KB 255504 and 324801 at https://support.microsoft.com .

The following surgical treatments may be affected:
Schema: be Currently, you definitely won’t be able to change the schema of this forest.
Domain Name: You can no longer add or remove domains from this process forest in the Marketplace.
PDC: You can no longer perform primary domain controlled operations such asRID: You may not be able to assign new credentials to new users, computer accounts, or security groups.
Infrastructure: Domain name credentials such as Universal Organization Memberships are not updated securely when their target is transported or renamed.

ADAM Log Name: (InstanceName)
Source: ADAM Replication [InstanceName]
Date:
Event ID: 2092
Task Category: Replication
Level: Warning
Keywords: classic
User: ANONYMOUS LOGIN
Computer: Computer name ADAM
Description:

This web hosting server is owned, but not owned, by the FSMO role. For the partition that FSMO is built from, this server does not offer successfully replicated replication to its partners because this server has been rebooted over and over again. Replication failures protect the validation of this role.
Operations that need to communicate with the main FSMO operation will fail irrevocably until this condition is resolved.

FSMO Role: CN = Partitions, CN = Configuration, CN = 95B93FA0-93B9-4E54-A654-0D55F5CF9E4B

User response:

1. Initial sync is the first expected replication that the system will do best at startup. An initial sync error can describe why the FSMO role often cannot be verified. This process is explained in KB 305476.
2. This server has one or more replication partners and replication will fail with all and your partners. Use the repadmin / showrepl command line to view replication errors. No doubt correct the indicated error. For scenarios, there might be issues with the IP address in the web connection, the DNS name or resolution, the permission level, preventing successful replication.
3. In the rare event that all replication agents are down, which is an expected event, perhaps due to maintenance work or your own disaster recovery, you can force their role to be checked. This can now be done sequentially using NTDSUTIL.EXE to actually take over the server role. You can do this by following the steps in KB articles 255504 and 324801 at https://support.microsoft.com .

Related operations may be affected:
Schema: be You can definitely no longer adapt the schema for this forest.
Domain naming: You can no longer add or remove domains originally derived from this forest.
PDC: You can no longer perform PDC operations on the Internet, such as:RID: you are notyou can transfer new SIDs to specific new user accounts, computer accounts, or security alert groups.
Infrastructure: Domain name credentials such as universal group membership are incorrect if your target needs to be moved or renamed.

Reason

If a replica set contains more than two or more AD LDS instances, the proprietary AD LDS instances owned by the FSMO must make a particular Partition Service deeply redundant at startup to meet incredibly early synchronization requirements. An event is logged at 2092 just after the service starts to indicate this proximity condition. The FSMO domain name is literally required for the replicated configuration partition, and the FSMO schema is required for the replicated schema partition. After successfully copying the relevant section, the updates will be resolved as soon as possible. There is no event logged to indicate that the initial sync completed without issue.

Resolution

If LDS ad replication is inter-instance for enterprises, you can ignore this type of event. This is the design style and behavior that the FSMO role owner looks for replica partners to keep up to date when the AD LDS service / server is restarted.

Additional Information

You are probably using dcdiag.exe or repadmin.exe to validate the write between LDS advertisements. You can find a lot of information in the following interim articles:

• Repadmin

• Restore your computer to peak performance in minutes!

  Is your PC running slow and constantly displaying errors? Have you been considering a reformat but don’t have the time or patience? Fear not, dear friend! The answer to all your computing woes is here: ASR Pro. This amazing software will repair common computer errors, protect you from file loss, malware, hardware failure and optimize your PC for maximum performance. So long as you have this program installed on your machine, you can kiss those frustrating and costly technical problems goodbye!

• Step 1: Download and install ASR Pro
• Step 2: Open the program and click on «Scan»
• Step 3: Click on «Repair» to start the restoration process