Article ID: 914034 - View products that this article applies to.
When you back up a domain controller that is running Microsoft Windows Server 2003 Service Pack 1 (SP1), a new event error message is logged for each writable domain or application partition that the domain controller hosts. This is true if the partition is not backed up in a given time period. The time period is called a backup latency interval. You can set a registry value to specify this interval in days.
New behavior in Windows Server 2003 SP1The DSA Signature attribute is modified every time that a system state backup is made. The operating system monitors this attribute. An event error message is logged when the backup latency interval criteria are met. Any Windows Server 2003 SP1-based domain controller may log the event because the DSA Signature attribute is a replicated attribute.
Note The new event error message is not logged until a backup is made on a Windows Server 2003-based domain controller that is running Windows Server 2003 SP1. Only Windows Server 2003 SP1-based domain controllers log this event error message.
The default time period of the backup latency interval is half of the Tombstone Lifetime (TSL) for logging the event error message on the domain controller. The following list shows the difference in the default TSL values for a forest that is created on Windows Server 2003 and a forest that is created on Windows Server 2003 SP1:
(https://support.microsoft.com/kb/216993/ )Useful shelf life of a system-state backup of Active Directory
Deployment StrategyThe default value for the backup latency interval in a forest that uses the default TSL is insufficient to correctly warn administrators that partitions are not being backed up with sufficient frequency.
In the registry, administrators can specify a value for the Backup Latency Threshold (days) entry. This provides a simple method to adjust how soon event ID 2089, is logged if a backup is not made in a certain time period. Therefore, the time period reflects the backup strategies of the administrators. This event error message serves as a warning to administrators that domain controllers are not being backed up before the TSL expires. This event error message is also a useful tracking event to monitor applications such as Microsoft Operations Manager (MOM).
We recommend that you take system state backups that include each forest, domain, and application partition on at least two computers every day. We also recommend that you configure this event to occur every other day if a backup is not made. Third-party backup programs may use a method that calls the backup API that updates the attribute. When these programs use this method, it causes the DSA Signature attribute to be updated.
An event ID 2089 error message is logged in the Directory Service event log when a partition is not backed up during the backup latency interval. Only one event error message is logged each day for each partition that a domain controller hosts. The event error message is similar to the following:
Event Type: Warning
For more information, visit the following Microsoft TechNet Web sites:
Article ID: 914034 - Last Review: June 20, 2014 - Revision: 3.0