| Event Id | 2095 |
| Source | NTDS Replication |
| Description | During an Active Directory replication request, the local domain controller (DC) identified a remote DC which has received replication data from the local DC using already-acknowledged USN tracking numbers. Because the remote DC believes it is has a more up-to-date Active Directory database than the local DC, the remote DC will not apply future changes to its copy of the Active Directory database or replicate them to its direct and transitive replication partners that originate from this local DC. If not resolved immediately, this scenario will result in inconsistencies in the Active Directory databases of this source DC and one or more direct and transitive replication partners. Specifically the consistency of users, computers and trust relationships, their passwords, security groups, security group memberships and other Active Directory configuration data may vary, affecting the ability to log on, find objects of interest and perform other critical operations. To determine if this misconfiguration exists, query this event ID using http://support.microsoft.com or contact your Microsoft product support. The most probable cause of this situation is the improper restore of Active Directory on the local domain controller. User Actions: If this situation occurred because of an improper or unintended restore, forcibly demote the DC. Remote DC: b55ee67f-ed73-4970-b2d4-7dc6f571439f Partition: CN=Configuration,DC=usn,DC=loc USN reported by Remote DC: 24707 USN reported by Local DC: 20485 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. |
| Event Information | According to Microsoft: Windows 2000 domain controllers use USNs in combination with the invocation IDs of source domain controllers to track updates to Active Directory that must be replicated. When USNs and invocation IDs are used, all domain controllers maintain consistent copies in Active Directory of the directory database partitions that are replicated. The invocation ID identifies the version of the directory database that is running on the domain controller. When the system state is correctly restored on a domain controller, the invocation ID is reset before Active Directory starts. Therefore, the domain controller is identified to its replication partners as a new domain controller. This situation prompts other domain controllers to update the restored domain controller. System state restorations that Active Directory-aware backup programs perform use APIs and methods that Microsoft has designed and tested. These APIs and methods help make sure that local and replicated Active Directory databases are consistent when the restoration is complete. These APIs and methods also make sure that other domain controllers in the forest are notified that invocation IDs have been reset. |
| Reference Links | How to detect and recover from a USN rollback in Windows Server 2003 How to detect and recover from a USN rollback in Windows 2000 Server |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.