Replication errors EventID 2089 and failed kcc event after running DCDiag

I ran DcDiag after rebooting a Domain Controller i could not logon to. Here is the output


Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Lucan-Campus\BENDC1
      Starting test: Connectivity
         ......................... BENDC1 passed test Connectivity

Doing primary tests
   
   Testing server: Lucan-Campus\BENDC1
      Starting test: Replications
         ......................... BENDC1 passed test Replications
      Starting test: NCSecDesc
         ......................... BENDC1 passed test NCSecDesc
      Starting test: NetLogons
         ......................... BENDC1 passed test NetLogons
      Starting test: Advertising
         ......................... BENDC1 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... BENDC1 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... BENDC1 passed test RidManager
      Starting test: MachineAccount
         ......................... BENDC1 passed test MachineAccount
      Starting test: Services
         ......................... BENDC1 passed test Services
      Starting test: ObjectsReplicated
         ......................... BENDC1 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... BENDC1 passed test frssysvol
      Starting test: frsevent
         ......................... BENDC1 passed test frsevent
      Starting test: kccevent
         An Warning Event occured.  EventID: 0x80250829
            Time Generated: 11/18/2008   11:52:44
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x80250829
            Time Generated: 11/18/2008   11:52:44
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x80250829
            Time Generated: 11/18/2008   11:52:44
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x80250829
            Time Generated: 11/18/2008   11:52:44
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x80250829
            Time Generated: 11/18/2008   11:52:44
            (Event String could not be retrieved)
         ......................... BENDC1 failed test kccevent
      Starting test: systemlog
         ......................... BENDC1 passed test systemlog
      Starting test: VerifyReferences
         ......................... BENDC1 passed test VerifyReferences
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : benrad
      Starting test: CrossRefValidation
         ......................... benrad passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... benrad passed test CheckSDRefDom
   
   Running enterprise tests on : benrad.local
      Starting test: Intersite
         ......................... benrad.local passed test Intersite
      Starting test: FsmoCheck
         ......................... benrad.local passed test FsmoCheck


Everything passes Ok except kccevent

in event vwr i get the following
-------------------------------------------------------------------------------------------------------------------------
Event Type:      Warning
Event Source:      NTDS Replication
Event Category:      Backup
Event ID:      2089
Date:            18/11/2008
Time:            11:52:44 AM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      BENDC1
Description:
This directory partition has not been backed up since at least the following number of days.
 
Directory partition:
CN=Configuration,DC=benrad,DC=local
 
'Backup latency interval' (days):
30
 
It is recommended that you take a backup as often as possible to recover from accidental loss of data. However if you haven't taken a backup since at least the 'backup latency interval' number of days, this message will be logged every day until a backup is taken. You can take a backup of any replica that holds this partition.
 
By default the 'Backup latency interval' is set to half the 'Tombstone Lifetime Interval'. If you want to change the default 'Backup latency interval', you could do so by adding the following registry key.
 
'Backup latency interval' (days) registry key:
System\CurrentControlSet\Services\NTDS\Parameters\Backup Latency Threshold (days)


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-------------------------------------------------------------------------------------------------------------------------

there are 5 of these errors corresponding with the output of DCDiag.


Can anyone provide any troubleshooting ideas to locate and fix the cause of this issue.

The logon issue was caused by a VM Backup of the domain controllers, i have not found out what happened but i had multiple errors on the DC relating to KDC and DNS etc until it was rebooted.

LVL 6
PACSAdminAsked:
Who is Participating?
 
Hypercat (Deb)Commented:
Is there a space problem on the system partition of this server? It looks as though the log files for the NTDS database have been lost or corrupted in some way.

What else is running on this server? Do you have other DCs locally at this site? Is the server operating normally at this point, or is it unable to replicate with the other DCs?

I might be tempted at this point to wipe AD off this computer through dcpromo and then re-promote it after replication has completed to your other DCs.  If it can demote gracefully, that might be a quicker and better solution than trying to figure out how this server's database got corrupted and how to fix it.
0
 
PACSAdminAuthor Commented:
Extra information that may be related

Errors in eventvwr at time backups started
----------------------------------------------------------------------------
Event Type:      Error
Event Source:      NTDS ISAM
Event Category:      General
Event ID:      482
Date:            18/11/2008
Time:            12:02:17 AM
User:            N/A
Computer:      BENDC1
Description:
NTDS (560) NTDSA: An attempt to write to the file "C:\WINDOWS\NTDS\edb.log" at offset 4812288 (0x0000000000496e00) for 512 (0x00000200) bytes failed after 0 seconds with system error 1784 (0x000006f8): "The supplied user buffer is not valid for the requested operation. ".  The write operation will fail with error -1011 (0xfffffc0d).  If this error persists then the file may be damaged and may need to be restored from a previous backup.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
---------------------------------------------------------------------------------------------------------------------
Event Type:      Error
Event Source:      NTDS ISAM
Event Category:      Logging/Recovery
Event ID:      417
Date:            18/11/2008
Time:            12:02:17 AM
User:            N/A
Computer:      BENDC1
Description:
NTDS (560) NTDSA: Unable to write to section 3 while flushing logfile C:\WINDOWS\NTDS\edb.log. Error -1011 (0xfffffc0d).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Event Type:      Error
Event Source:      NTDS ISAM
Event Category:      Logging/Recovery
Event ID:      492
Date:            18/11/2008
Time:            12:02:17 AM
User:            N/A
Computer:      BENDC1
Description:
NTDS (560) NTDSA: The logfile sequence in "C:\WINDOWS\NTDS\" has been halted due to a fatal error.  No further updates are possible for the databases that use this logfile sequence.  Please correct the problem and restart or restore from backup.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
----------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------
Event Type:      Error
Event Source:      NTDS ISAM
Event Category:      Logging/Recovery
Event ID:      471
Date:            18/11/2008
Time:            12:02:17 AM
User:            N/A
Computer:      BENDC1
Description:
NTDS (560) NTDSA: Unable to rollback operation #29937 on database C:\WINDOWS\NTDS\ntds.dit. Error: -510. All future database updates will be rejected.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-------------------------------------------------------------------------------------------------------------------------

0
 
PACSAdminAuthor Commented:
Things seemed to have settled down now. What seems to have happened is during a VCB Backup something went haywire and as a result DC1 which is the global catalog stopped authenticating, replicating etc. I was unable to logon to this server (even locally) so i had to do an ungracefull reboot. It took about 4 hours for everything to settle down after the reboot. I am no longer getting any errors in eventvwr and DCDIAG passes all tests. I have tested replication is working so i am a bit perplexed as to why the VM Backup killed this server when all it does is snapshot the DC's, mounts the snapshots to a network share that is backed up and then the snapshot is deleted.

As a side note what is the best way to confirm that the ntds.dit file is not corrupted.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.