[SOLVED] Event ActiveDirectory_DomainService 2089 on windows domain controller logged

[abma]

we are backing up a windows domain controller using proxmox backup. The ActiveDirectory_DomainService complains with Event 2089: it thinks that no backup is made: https://docs.microsoft.com/en-us/tr...eplication-event-2089-backup-latency-interval

"Use QEMU Guest Agent" is enabled for the vm and the qemu guest agent is installed inside the vm:

101: 2021-04-15 22:02:06 INFO: issuing guest-agent 'fs-freeze' command
101: 2021-04-15 22:02:08 INFO: issuing guest-agent 'fs-thaw' command

Is the event 2089 normal with PBS and can be safely ignored or is VSS not working correctly?

 

[dcsapak]

afaik, this event means that you did no 'system-state' backup via the integrated windows backup tool. since windows cannot detect that a pbs backup has taken place, and neither pve nor pbs tell the vm that it was backed up, this message seems normal, though i am not a windows ad expert

 

[abma]

ok, as workarround we added a monthly task:

wbadmin.exe start backup -backuptarget:\\server\share -include:%WINDIR%\NTDS\ntds.dit -quiet -user:username -password:password

not sure how other backup solutions "solve" this.

 

[bofh]

ok, as workarround we added a monthly task:

wbadmin.exe start backup -backuptarget:\\server\share -include:%WINDIR%\NTDS\ntds.dit -quiet -user:username -password:password

not sure how other backup solutions "solve" this.

they let you schedule a system state backup and you absolutly need one.

DO NOT RESTORE A DC JUST VIA VZDUMP.


Here is the thing. If you have only one DC, then it might just work to restore it - MIGHT (still possible to "loose" machines within the network that requires a rejoin but the rest should just work)

If you have a secondary - DONT YOU DARE - and recover from VZDUMP - ever. you gonna crash you ADS for good. then against fresh installs are nice arent they xD


what i would do is a frequent system state backup to somewhere, even just another VM just to have it.
in case of a DC Fail install a new DC, and let ADS replicate from the other one. Thats even Microsoft recommendation. Thats why they also urge you to have at least 2 of them.

TLDR:
-One Domaincontroller in the network - you can recover with VZDUMP
-Multiple Domaincontroller - dont recover unless all are dead
-if youre within a forest but all of your local branch are dead recover via system state
-backup only those with all FSMO roles

Best Methods
- for normal crashes of machines regular check that replication is running this will be your primary recovery
- against malice or incompetence have a backup of the FSMO Domaincontroller better with systemstate
in that case shutdown all domaincontroller, restore primary with all the roles, if that is running best would be install new secondary/3rds and let replication do its job.
-to restore an actrive directly ALL you need is a systemstate backup nothing else.



keep in mind backups of system state must be younger then your tombstones (default 180 days) if its older its worthless.

yes any VM backup solution must absolutely be build for the task to backup an active directory. otherwise it is not useable.
only exception is the single domain controller usecase which should no longer occure in times of virtualisation. even if you have both controller on one bare metal i really highly recommend using 2.

CHECK replication health regularly.


Best would be an offsite DC, you can define it as a different SITE and set appropriate replication cycles
-together with regular systemstate backup (even if its just on the same machine) with a VZDUMP copy of all of it.