none
AD Replication Problem with Event ID 2022 & 2091

    Question

  • Hi all,

    The joys of working the Christmas & New Year break.

    Today I've come across one of the Windows 2008 R2 domain controllers in our domain in a JRNL_WRAP_ERROR state. The "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NtFrs\Parameters=1" registry key has failed to fix the problem so I've been digging deeper.

    The forest is at "Windows Server 2003" functional level, there are a number of Windows 2008 R2 domain controllers & one Windows 2003 domain controller. For business reasons we are not able to eliminate the Windows 2003 DC at the moment. The DNS service used throughout the organisation is a supported but non Windows service.

    Keep in mind I'm not trying to demote or promote any DCs, the only problem observed (so far) is inbound replication of the domain NC to one of the domain controllers. On the problematic DC the following events are logged in the Directory Service event log.

    EventID 2091

    Ownership of the following FSMO role is set to a server which is deleted or does not exist.
    Operations which require contacting a FSMO operation master will fail until this condition is corrected.
    FSMO Role: CN=Infrastructure,DC=ForestDnsZones,DC=<domain>
    FSMO Server DN: CN=NTDS Settings\0ADEL:e760f031-a906-4047-8d28-12529d4df7c0,CN=<ExistingDCName>\0ADEL:d7f2d245-6df3-412d-9097-ee69b59685a1,CN=Servers,CN=<SITE>,CN=Sites,CN=Configuration,DC=<domain>

    EventID 2022

    The operations master roles held by this directory server could not transfer to the following remote directory server.
    Remote directory server:
    \\<ServerFQDN>
    This is preventing removal of this directory server.
    User Action
    Investigate why the remote directory server might be unable to accept the operations master roles, or manually transfer all the roles that are held by this directory server to the remote directory server. Then, try to remove this directory server again.

    OK - weird. I'm not trying to remove the directory server nor have any DCPromo events taken place in the last few months.

    One article I came across from NetworkAdminKB suggests the fSMORoleOwner property of the CN=Infrastructure,DC=DomainDnsZones,DC=<DOMAIN> object is invalid. Which in fact it is. The value on this property is currently set to the "FSMO Server DN" value shown above.

    Perhaps I'm being a little over cautious in not wanting to correct the value without further research?

    Could anyone share their experience with correcting this value, or perhaps someone from Microsoft confirming the correction of the value is OK to make?

    Thank you in advance, Scott.

    Monday, December 30, 2013 2:53 AM

Answers

  • Thanks Vivian,

    I did update the value using ADSIEdit one of the 'good' DCs however this did not replicate to the 'bad' DC. I tried updating the value on the bad DC and got this error;

            Operaiton failed. Error code 0x20ae
            The role owner attribute could not be read.
            000020AE: SvcErr: DSID-03152965, problem 5003
            (WILL_NOT_PERFORM), data 0

    I then (for the first time) saw an event log entry advising the AD DB was corrupt. I verified this by booting into DSRM and running the ntdsutil file integrity. Sure enough, the report was a corrupt database. I found another problem during this with the backups so decided to rebuild the DC and DCPromo back to a domain controller.

    Things are now looking good. I dare say the DB was corrupt all along but perhaps just not reporting so. In any case, thanks for everyone's input & I no longer need assistance with this issue.

    Happy New Year!

    Thursday, January 02, 2014 1:59 AM

All replies

  • First you need to verify the fsmo role holder server it seems that Infrastructure FSMO role holder server is removed from network.Run netdom query fsmo to verify the same.If the FSMO role holder server is missing you need to seize the fsmo role.You also need to verify the health of DC by dcdiag /q and repadmin /replsum.If the instances of orphan DC are present you need to run metadata cleanup.

    Complete Step by Step Guideline to Remove an Orphaned Domain controller (including seizing FSMOs, running a metadata cleanup, and more)
    http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx

     Regarding JRNL_WRAP_ERROR occurs due to drive/partition being corrupted, antivirus locking and corrupting the file during sysvol scan, heavy size of the files inside sysvol and netlogon shares.

    The solution is listed in your event log.

    Expand HKEY_LOCAL_MACHINE.
    Click down the key path: "System\CurrentControlSet\Services\NtFrs\Parameters"
    Double click on the value name  "Enable Journal Wrap Automatic Restore" and update the value.

    If the JRNL_WRAP_ERROR occurs frequently, you need to exclude sysvol/netlogon from antvirus scan, check the drive for corruption or bad sector and also restore a sysvol using burflag key.
    http://msdn.microsoft.com/en-us/library/windows/desktop/cc507518%28v=vs.85%29.aspx

    what-happens-in-a-journal-: http://blogs.technet.com/b/instan/archive/2009/07/14/what-happens-in-a-journal-wrap.aspx


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, December 30, 2013 3:34 PM
  • Thanks for your comment Sandesh.

    I should've confirmed in my original post that the current FSMO roles are all set on valid & working DCs. We don't have any orphaned DCs so don't need a metadata cleanup. Another environment I have access to went through a similar upgrade (2000 > 2003 > 2008) and has the same issue. Seeing as the current Infrastructure FSMO role holder is still online & working, I wonder if a simple "move" of the role holder will correct the attribute. I'll try this before updating manually.

    As for the JRNL_WRAP_ERROR - it was actually fixed yesterday after changing the reg key to 1 as verified by a test file in the Netlogon share. I've now changed the reg key back to 0.

    Monday, December 30, 2013 9:46 PM
  • Hi,

    It seems like infrastructure FSMO role server value has a wrong/garbage value.

    I think you should edit the attribute through using adsiedit.msc.

    For more and detail information, please check this blog:

    http://blog.mpecsinc.ca/2011/03/ad-ds-operation-failed-directory.html

    Hope this helps.

    Regards.

    If you have any feedback on our support, please click here


    Vivian Wang

    Tuesday, December 31, 2013 7:53 AM
    Moderator
  • Hi,

    I just want to confirm what is the current situation.

    Please feel free to let us know if you need further assistance.

    Regards.

    If you have any feedback on our support, please click here


    Vivian Wang

    Thursday, January 02, 2014 1:22 AM
    Moderator
  • Thanks Vivian,

    I did update the value using ADSIEdit one of the 'good' DCs however this did not replicate to the 'bad' DC. I tried updating the value on the bad DC and got this error;

            Operaiton failed. Error code 0x20ae
            The role owner attribute could not be read.
            000020AE: SvcErr: DSID-03152965, problem 5003
            (WILL_NOT_PERFORM), data 0

    I then (for the first time) saw an event log entry advising the AD DB was corrupt. I verified this by booting into DSRM and running the ntdsutil file integrity. Sure enough, the report was a corrupt database. I found another problem during this with the backups so decided to rebuild the DC and DCPromo back to a domain controller.

    Things are now looking good. I dare say the DB was corrupt all along but perhaps just not reporting so. In any case, thanks for everyone's input & I no longer need assistance with this issue.

    Happy New Year!

    Thursday, January 02, 2014 1:59 AM
  • Hi,

    Glad to hear that.

    And thanks for your good sharing.

    Happy New Year!


    Vivian Wang

    Thursday, January 02, 2014 6:00 AM
    Moderator