event id 2089 domain controller

[meetoo]

We are backing up 3 domain controllers via Veeam 9.5 u2. 2 of the DC’s are backing up fine, but yesterday & today we got this event on the 3rd DC.

22 Jun 2018 02:51:40 PM
Computer: [DC1]
Monitor: [Event Log Monitor]
Description:
* Event Time: 22 Jun 2018 02:47:36 PM
* Source: Microsoft-Windows-ActiveDirectory_DomainService
* Event Log: Directory Service
* Type: Warning
* Event ID: 2089
* Event User: NT AUTHORITY\ANONYMOUS LOGON
* This directory partition has not been backed up since at least the following number of days.

Directory partition:
DC=DomainDnsZones,DC=domain1,DC=domain2,DC=local

'Backup latency interval' (days):
30

It is recommended that you take a backup as often as possible to recover from accidental loss of data. However if you haven't taken a backup since at least the 'backup latency interval' number of days, this message will be logged every day until a backup is taken. You can take a backup of any replica that holds this partition.

By default the 'Backup latency interval' is set to half the 'Tombstone Lifetime Interval'. If you want to change the default 'Backup latency interval', you could do so by adding the following registry key.

'Backup latency interval' (days) registry key:
System\CurrentControlSet\Services\NTDS\Parameters\Backup Latency Threshold (days)

The DC is successfully backing up in Veeam.

Suggestions?

Thanks

[nielsengelen]

Have a look at the following thread and see if this helps with the issue/information warning. It can be ignored if your backup runs without issues.

If you want to ignore this informational message you can remove the DWORD in the registry:
System\CurrentControlSet\Services\NTDS\Parameters\Backup Latency Threshold (days) (30).

[meetoo]

Thanks! I saw that thread, but there are no 'Domain Controller' options under Application Aware Processing, plus no other DC's are generating this event, so I am hesitant to ignore it.

[nielsengelen]

It is just related to a windows settings. If you enable application aware processing we’ll do the actions needed via VSS. If this is enabled for this domain controller, you might want to contact support for more insight.

[meetoo]

I think the problem is related to the server being a DC & also a DNS server. I created a specific domain admin account to use for the app-aware processing, but the job still fails. My other DC's running DNS are physical & backup via the agent with no issues.

[foggy]

What do you mean by "the job still fails"? In your original post you mentioned that the DC is successfully backed up.

[meetoo]

Sorry. To clarify, originally i backed it up as a non app-aware job, which was 'successful', but the event referenced above occurred. I then changed to app-aware & now the job fails.

Code: Select all

7/18/2018 3:35:48 AM :: Processing DC1 Error: Failed to connect to guest agent. Errors:
'Cannot connect to the host's administrative share. Host:  [dc1]. Account: [domain\domainadminaccount].
Win32 error:An extended error has occurred.
 Code: 1208
Cannot connect to the host's administrative share. Host:  [111.11.11.111]. Account: [domain\domainadminaccount].
Win32 error:An extended error has occurred.
 Code: 1208
'

[foggy]

Ah, that explains the initial message. You should always backup a DC with app-aware processing enabled.

To troubleshoot the last error, are you able to open the administrative share on this VM manually using the same account you specify in the job settings?

[meetoo]

At the beginning I created a user account & dropped it in Domain Admin to use as the service account for this job. As a security measure, I locked the account to only have access to the domain controller in question. This caused VSS errors, so I removed the lock, rebooted the DC & now the app-aware backup is successful.

[foggy]

Thanks for letting us know the solution, much appreciated.