A Windows Server 2003 Service Pack 1-based computer logs a Warning event when an operations master role is removed (914032)


The information in this article applies to:

  • Microsoft Windows Server 2003 SP1, when used with:
    • Microsoft Windows Server 2003, Standard Edition
    • Microsoft Windows Server 2003, Enterprise Edition
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Standard x64 Edition

INTRODUCTION

In the Active Directory directory service, operations master role connectivity problems are not reported in Event Viewer. No processes run on the original release version of Windows Server 2003 that monitor the health or availability of operations master roles. Therefore, it is frequently not clear that an operations master is missing until an operation that depends on the operations master is performed.

Operations master roles may be silently removed when a domain controller suffers a hardware or software failure and the domain controller is not restored from backup. You can also silently remove an operations master role from the domain or from the forest by running the following command:

dcpromo /forceremoval

Windows Server 2003 Service Pack 1 (SP1) records when an operations master role is removed. Certain conditions that affect operations masters cause Windows Server 2003 SP1-based domain controllers to log a Warning event in the Directory Services event log.

MORE INFORMATION

The following conditions cause the NTDS Replication event source to generate a Warning event:
  • Operations master role holder is not set or is not readable
    The domain controller tries to read the fsmoRoleOwner attribute from the directory for each operations master role. If a domain controller cannot read this value or if the value is not set, a Warning event is logged to the Directory Services event log.
  • Operations master role is set to a domain controller that is deleted
    In this case, a check is made to make sure an operations master role is not assigned to a deleted Directory System Agent.

    Note A condition may occur where the deletion of a Directory System Agent has successfully replicated to the domain controller. However, the transfer of operations master role ownership has not occurred. This condition causes a false positive Warning event.
  • Operations master self-ownership is not valid
    The local server is the operations master role owner. However, the server has disqualified itself because it has not replicated incoming changes for locally held partitions after a restart. This behavior makes initial synchronization problems easier to find. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

    305476 Initial synchronization requirements for Windows 2000 Server and Windows Server 2003 operations master role holders

  • The operations master role owner does not respond
    The operations master role is assigned to a domain controller, but the domain controller has not responded recently. The response is determined by the delta of the last response and by the latency threshold. The default latency threshold is 24 hours. This setting is configurable by modifying the following registry subkey:

    HKEY_LOCAL_MACHINE\System\CCS\Services\NTDS\Parameters\

    The response of a domain controller that is not a direct replication partner of an operations master owner is determined by using time stamps on the up-to-date vector updates. Physical remote procedure call (RPC) connectivity between a domain controller and an operations master role owner is not verified.

    Note A condition may occur where the operations master role owner may be set, but the owner does not respond. This behavior can occur when the owner has never replicated with the local domain controller. In this case, Active Directory assumes replication latency and does not log an event.
When any one of these conditions is true, one or more error messages that are similar to the following may be logged in the Directory Services event log.

Error message 1

Event Type:
Warning Event
Source: NTDS Replication
Event Category: Replication
Event ID: 2091
Description: Ownership of the following FSMO role is set to a server which is deleted or does not exist. Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: CN=RID Manager$,CN=System,DC=r2,DC=sp1,DC=ws03,DC=com
FSMO Server DN: CN=NTDS Settings\0ADEL:1ee76061-8332-4a5d-9255-2d17eb1c8cdd,CN=DC01,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=Contoso,DC=com User Action:
1. Determine which server s hould hold the role in question.
2. Configuration view may be out of date. If the server in question has been promoted recently, verify that the Configuration partition has replicated from the new server recently. If the server in question has been demoted recently and the role transferred, verify that this server has replicated the partition (containing the latest role ownership) lately.
3. Determine whether the role is set properly on the FSMO role holder server. If the role is not set, utilize NTDSUTIL.EXE to transfer or seize the role. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
4. Verify that replication of the FSMO partition between the FSMO role holder server and this server is occurring successfully. The following operations may be impacted:

Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

For more information, see Help and Support Center at http://support.microsoft.com.

Error message 2

Event Type: Warning
Event Source: NTDS Replication
Event Category: Replication
Event ID: 2092
Description: This server is the owner of the following FSMO role but does not consider it valid. For the partition which contains the FSMO this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role. Operations which require contacting a FSMO operation master will fail until this condition is corrected.

FSMO Role: CN=Schema CN=Configuration DC=Domain DC=Extension

User Action:
1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors. Correct the error in question. For example there maybe problems with IP connectivity DNS name resolution or security authentication that are preventing successful replication.
3. In the rare event that all replication partners being down is an expected occurance perhaps because of maintenance or a disaster recovery you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.

The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations such as Group Policy updates and password resets for non-Active Directory accounts.
RID: You will not be able to allocation new security identifiers for new user accounts computer accounts or security groups. Infrastructure: Cross-domain name references such as universal group memberships will not be updated properly if their target object is moved or renamed.

Error message 3

Event Type: Warning
Event Source: NTDS Replication
Event Category: Replication
Event ID: 2093
Description: The remote server which is the owner of a FSMO role is not responding. This server has not replicated with the FSMO role owner recently. Operations which require contacting a FSMO operation master will fail until this condition is corrected.

FSMO Role: DC=r2,DC=sp1,DC=ws03,DC=com FSMO Server DN: CN=NTDS Settings,CN=DC01,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=contoso,DC=com
Latency threshold (hours): 24
Elapsed time since last successful replication (hours): 195

User Action: This server has not replicated successfully with the FSMO role holder server.
1. The FSMO role holder server may be down or not responding. Please address the problem with this server.
2. Determine whether the role is set properly on the FSMO role holder server. If the role needs to be adjusted, utilize NTDSUTIL.EXE to transfer or seize the role. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
3. If the FSMO role holder server used to be a domain controller, but was not demoted successfully, then the objects representing that server are still in the forest. This can occur if a domain controller has its operating system reinstalled or if a forced removal is performed. These lingering state objects should be removed using the NTDSUTIL.EXE metadata cleanup function.
4. The FSMO role holder may not be a direct replication partner. If it is an indirect or transitive partner, then there are one or more intermediate replication partners through which replication data must flow. The total end to end replication latency should be smaller than the replication latency threshold, or else this warning may be reported prematurely.
5. Replication is blocked somewhere along the path of servers between the FSMO role holder server and this server. Consult your forest topology plan to determine the likely route for replication between these servers. Check the status of replication using repadmin /showrepl at each of these servers.

The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

For more information, see Help and Support Center at http://support.microsoft.com
Modification Type:MajorLast Reviewed:9/22/2006
Keywords:kbhowto kbinfo KB914032 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.