Event ID 2089 — Backups

Applies To: Windows Server 2008

You should back up the directory database on a domain controller routinely so that if hardware fails or data becomes corrupt, you can quickly recover the information in the database.

Event Details

Product: Windows Operating System
ID: 2089
Source: Microsoft-Windows-ActiveDirectory_DomainService
Version: 6.0
Symbolic Name: DIRLOG_BACKUP_LATENCY_WARNINGS
Message: This directory partition has not been backed up since at least the following number of days. Directory partition: "DN of the partition" 'Backup latency interval' (days): "Value in days of the backup latency interval" It is recommended that you take a backup as often as possible to recover from accidental loss of data. However if you haven't taken a backup since at least the 'backup latency interval' number of days, this message will be logged every day until a backup is taken. You can take a backup of any replica that holds this partition. By default the 'Backup latency interval' is set to half the 'Tombstone Lifetime Interval'. If you want to change the default 'Backup latency interval', you could do so by adding the following registry key. 'Backup latency interval' (days) registry key: System\CurrentControlSet\Services\NTDS\Parameters\Backup Latency Threshold (days)

Resolve

Ensure that backups are taken more frequently than the backup latency interval

You should ensure that the Active Directory database is backed up more frequently than the interval that is set for the tombstone lifetime of your forest. If you are using a non-Microsoft backup solution and you confirm that the backup interval is more frequent than the tombstone lifetime, you may want to contact the vendor of the backup solution so that they can register their backups in Active Directory Domani Services (AD DS), as recommended.

You can use Windows Server Backup or a non-Microsoft program to back up system state on a domain controller. If you plan to use a non-Microsoft program, check the software vendor’s instructions for completing and verifying the system state backup. For more information, see Steps for Backing Up and Recovering AD DS (https://go.microsoft.com/fwlink/?LinkId=151349).

The following procedures guide you through the process of installing Windows Server Backup and creating a manual backup from the command line. You may want to consider scheduling backups with the Task Scheduler application. For more information, see Task Scheduler How To (https://go.microsoft.com/fwlink/?LinkId=151352).

Membership in Builtin Administrators or Backup Operators, or equivalent, is the minimum required to complete these procedures. In addition, you must have write access to the target backup location. Review details about default group memberships at https://go.microsoft.com/fwlink/?LinkID=150761.

To install Windows Server Backup:

  1. Click Start, click Administrative Programs, and then click Server Manager. Right-click Features, and then click Add Features.
  2. Expand Windows Server Backup Features, and then click Windows Server Backup. As an option, you can click Command-line Tools. Click Next
  3. Click Install. After the installation is complete, click Close.

For additional options for installing Windows Server Backup, see Active Directory Backup and Restore in Windows Server 2008 (https://go.microsoft.com/fwlink/?LinkID=149696).

To perform a manual system state backup of a domain controller from a command prompt:

  1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, enter the appropriate credentials (if requested) and confirm that the action it displays is what you want, and then click Continue.
  2. At the command prompt, type the following command, and then press ENTER: wbadmin start systemstatebackup -backuptarget:<drive>: -quiet. Substitute the actual drive letter or volume to which you want to send the backup for <drive>. If you do not specify the -quiet parameter, you are prompted to press Y to proceed with the backup operation. The target volume for a system state backup can be a local drive, but it cannot be any of the volumes that are included in the backup by default.

Note: To store the system state backup on a volume that is included in the backup, you must add the AllowSSBToAnyVolume registry entry to the server that you are backing up. There are also some prerequisites for storing system state backup on a volume that is included in the backup. For more information, see Known Issues for AD DS Backup and Recovery (https://go.microsoft.com/fwlink/?LinkID=117940).

For more information, see Create Backups of the System State Using a Command Line (https://go.microsoft.com/fwlink/?LinkID=151353).

Verify

Ensure that the domain controller is configured to back up the directory database within a time interval that is more frequent than the tombstone lifetime for the forest. However, if the forest functional level is raised to Windows Server 2008 R2 and the Active Directory Recycle Bin feature is enabled, backups should occur more frequently than the lesser of the values that are set for the tombstoneLifetime and msDS-deletedObjectLifetime attributes).

Note: If no value is set for msDS-deletedObjectLifetime, the value that is set for the tombstoneLifetime is used.

Membership in Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about default group memberships at https://go.microsoft.com/fwlink/?LinkID=150761.

Check the value for the backup latency interval threshold

The default time period of the backup latency interval is half the tombstone lifetime value, when the Active Directory Recycle Bin feature is not enabled. The default tombstone lifetime is 60 or 180 days, depending on the domain controller operating system version that was used to create the forest. For more information, see Determine the Tombstone Lifetime for the Forest (https://go.microsoft.com/fwlink/?LinkID=137177). If the Active Directory Recycle Bin is enabled, the backup latency interval becomes half the lesser of the values of tombstoneLifetime and msDS-deletedObjectLifetime.

Note: After the Active Directory Recycle Bin feature is enabled, it cannot be disabled.

To check the value of the backup latency interval:

  1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. At the command prompt, type regedit, and then press ENTER.
  3. In the Registry Editor, navigate to the following registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\
  4. In the details pane, determine whether there is a Backup Latency Threshold (days) value. If there is a value, note the value that is configured here.
  5. To check the value of the tombstone lifetime, at a command prompt, type the following command, and then press ENTER: dsquery * “cn=Directory Service, cn=Windows NT,cn=Services,Cn=Configuration,dc=<forestDN>” –scope base –attr tombstonelifetime. Substitute the actual forest distinguished name for <forestDN>. For example, if your forest name is corp.cpandl.com, the forest distinguished name is dc=corp,dc=cpandl,dc=com. The word attribute tombstonelifetime is returned, along with the value for which it is set. Divide the value by two to determine the default backup latency interval, which is in effect if there is no backup latency threshold (days) value defined.
  6. If the Active Directory Recycle Bin optional feature is enabled, you can check the value of the msDS-deletedObjectLifetime attribute by running the following command: dsquery * “cn=Directory Service, cn=Windows NT,cn=Services,Cn=Configuration,dc=<forestDN>” –scope base –attr msDS-deletedObjectLifetime
  7. As in the previous step, substitute the actual forest distinguished name for <forestDN>. If no value is shown for msDS-deletedObjectLifetime, its value is equal to the value of tombstoneLifetime.

For more information about the Active Directory Recycle Bin and its relationship to the useful backup lifetime, see Scenario Overview for Restoring Deleted Active Directory Objects (https://go.microsoft.com/fwlink/?LinkID=148279).

Check when a backup was last taken

To check when the last backup was registered in AD DS:

  1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, enter the appropriate credentials (if requested) and confirm that the action it displays is what you want, and then click Continue.
  2. At the command prompt, type repadmin /showbackup, and then press ENTER. Review the Org.Time/Date column to see when the most recent backup of the Active Directory database was made. This is the value that you use to determine whether your last backup is too old (as defined in the backup latency interval).

If you use a non-Microsoft backup solution and you know that backups were taken more recently than the date that you just retrieved, you may want to contact the vendor of the backup solution so that they can register their backups in AD DS as recommended. If the date you retrieved is older than the tombstone lifetime, it is critical that you take a backup of your Active Directory environment.

Test your system state backups to ensure that they are good

To ensure that the backups you are creating are good, restore them to a test location. For complete information about restoring system state backups from the command line, see Recover the System State Using a Command Line (https://technet.microsoft.com/en-us/library/cc753789.aspx). The following procedure is a simple restore of the system state backup to an alternate location. You can restore the files to any alternate location, but we recommend that you use a volume that is physically secure and that can be formatted after the procedure.

Membership in Backup Operators, or equivalent, is the minimum required to complete this procedure. Review details about default group memberships at https://go.microsoft.com/fwlink/?LinkID=150761.

To restore a system state backup to an alternate test location:

  1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, enter the appropriate credentials (if requested) and confirm that the action it displays is what you want, and then click Continue.
  2. At the command prompt, type wbadmin get versions, and then press ENTER. 
  3. Identify the name of the backup file that you want to verify.
  4. At the command prompt, type the following command, and then press ENTER: wbadmin start systemstaterecovery –verson:<verID> -recoveryTarget:<Tgt>
  5. Substitute the actual version identifier for <verID>, and replace <Tgt> with the drive or volume location to which you want to restore the system state backup so that you can check that the data is good. For example, to restore a backup with version identifier 03/19/2009-04:02 to the C:\BackupCheck folder, run the following command: wbadmin start systemstaterecovery -verson:03/19/2009-04:02 -recoveryTarget:B:\Backups -quiet
  6. The command output displays the success of the recovery operation as it happens. A success message should appear, as well as the location of the log file of the restore process. You can use Notepad or a similar text editor to review the log.
  7. You can also navigate the structure of the restored files to ensure that critical items have been restored. For example, you can verify that the NTDS.DIT file that is located in the \Windows\NTDS folder by default has been restored to the alternate location.

Backups

Active Directory