AD is not accesable (event ID 2092)

Lee, Yongil 20 Reputation points
2023-10-19T14:33:33.5366667+00:00

I have two Windows 2016 servers on VMWARE.
DC1 is FSMO owner and DC2 is backup DC.

Few days ago, ESXi has issue and both got reverted back to previous snapshots. (both DCs are located in same server.)

Now I am not able to get into AD snap-in. When I tried, it shows following error.

User's image

I found Event ID 2092 on Directory Service

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.

Operations which require contacting a FSMO operation master will fail until this condition is corrected.

FSMO Role: CN=RID Manager$,CN=System,DC=test,DC=legnakil,DC=net

User Action:

  1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
  2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors. Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
  3. In the rare event that all replication partners are expected to be offline (for example, because of maintenance or disaster recovery), you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.

The following operations may be impacted:

Schema: You will no longer be able to modify the schema for this forest.

Domain Naming: You will no longer be able to add or remove domains from this forest.

PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.

RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.

Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

Since both DCs are inoperative I can't remove DC2 to make DC1 as standalone server.

I tried to seize FSMO role but still the same.

I am suspecting USN rollback but not sure.

I reverted back DC1 again and disconnected from the network. DC2 is on since it served as DNS server.

Any suggestion would be great.

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,400 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,994 questions
0 comments No comments
{count} votes

Accepted answer
  1. Dave Patrick 426.2K Reputation points MVP
    2023-10-19T18:58:24.85+00:00

    Ok so you seized roles to DC2, correct? If that's correct, then a few things;

    • change the DNS on connection properties to own static ip address (192.168.10.24) plus loopback (127.0.0.1)
    • dcdiag also reports "This computer has at least one dynamically assigned IPv6 address" so I'd fix that, possibly with.
    netsh interface teredo set state disabled
    
    
    • reboot
    • then you could also make it a global catalog by Active Directory Sites and Services. In the console tree, expand the Sites container, and then select the appropriate site that contains the target server.

    Expand the Servers container, and then expand the server object for the DC to which you want to add the global catalog. Right-click NTDS Settings, and then select Properties. Select the Global Catalog check box.

    • then follow along here to do the authoritative FRS restore since this is the only remaining domain controller

    https://learn.microsoft.com/en-US/troubleshoot/windows-server/networking/use-burflags-to-reinitialize-frs#authoritative-frs-restore

    --please don't forget to close up the thread here by marking answer if the reply is helpful--

    0 comments No comments

5 additional answers

Sort by: Most helpful
  1. Dave Patrick 426.2K Reputation points MVP
    2023-10-19T14:37:32.4366667+00:00

    Please run;

    Dcdiag /v /c /d /e /s:%computername% >C:\dcdiag.log (run on PDC emulator)
    repadmin /showrepl >C:\repl.txt (run on any domain controller)
    ipconfig /all > C:\%computername%.txt (run on EVERY domain controller)

    Also check the domain controller System and Replication (DFS or FRS) event logs for errors since last boot. Post the Event Source and Event IDs of any found. (no evtx files)

    then put unzipped text files up on OneDrive and share a link.

    0 comments No comments

  2. Lee, Yongil 20 Reputation points
    2023-10-19T14:45:18.6333333+00:00

    Thank you for your reply.

    When running dcdiag, there is error.

    User's image

    I think this due to the server is not connected?

    Do you think it is ok to connect it the the network?

    0 comments No comments

  3. Dave Patrick 426.2K Reputation points MVP
    2023-10-19T14:49:15.64+00:00

    I think this due to the server is not connected?

    That's possible though no way to know really. Try running on the other one.

    Do you think it is ok to connect it the the network?

    I don't see why not unless I'm missing something? How else is it going to work?


  4. Lee, Yongil 20 Reputation points
    2023-10-19T16:08:22.8966667+00:00

    I found another error after the reboot (also there was an Windows update which is done)

    In directory Service, Event ID 1126:

    Active Directory Domain Services was unable to establish a connection with the global catalog.

    Additional Data

    Error value:

    1355 The specified domain either does not exist or could not be contacted.

    Internal ID:

    32015b7

    User Action:

    Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.

    0 comments No comments