Ошибка 2092 active directory

We have a small Windows domain with 2 Domain Controllers running Windows Server 2012.

Today I went into the Group Policy Management Console to edit the Default Domain Policy to add a few new IPs to our firewall rules.

Upon doing this, a coworker reported not being able to access file shares on our web server (on the domain) and the Primary Domain Controller.  I experienced the same issue.

Running gpupdate on a client resulted in errors for 2 Group Policy Objects, referring to 2 GUIDs not being accessible.  I went back into the
Group Policy Management Console , found those 2 GPOs, and disabled them.  1 of the GPOs was the one I had been editing, the other was unrelated.

Disabling the GPOs allowed gpupdate to work on clients, and this also restored file share functionality for some reason.

I checked the replication status and versions of the GPOs on both Domain Controllers.  Both GPOs showed one DC as still waiting on a sync.  One of the GPOs had mismatched version numbers.

I created a new GPO and let it sync, and this worked fine.  I was also able to import the settings of the original GPO and it worked.  Some time shortly after, the file shares broke again.  Disabling the offending GPO (this time it was only the Default Domain Policy) again restored the file shares.

I followed this guide: http://jackstromberg.com/2014/07/sysvol-and-group-policy-out-of-sync-on-server-2012-r2-dcs-using-dfs… Opens a new window and everything appeared to work, except I never got the 2002 Event ID in the Event Viewer.

The AD Replication Status tool showed no error.

I tried creating a new GPO again and importing the backed up settings, and things broke again.

Event Viewer reported various errors, including errors about the journal.  I performed the suggested command for the journal error (something I have encountered before), ran through the linked guide again, and disabled the offending GPO again.

File share services were back up and running.

The AD Replication Status Tool reported error 1908 («Could
not find the domain controller for this domain») for one server (the
«destination» server being the primary DC and the «source» being the
secondary DC).

I decided to let it sit and just monitor it as users need access to their files.

I checked the AD Replication Status Tool about 2 hours later and the 1908 error had disappeared.

Generating a Diagnostic Report from DFS Management shows no issues.  SYSVOL shows as normal and we don’t have any other replicated shares (we don’t actually use a DFS for use shares).  There were warnings about the frequent restarts of services, but these were due to the fact that I was restarting the servers.  The last occurrence was at the time of the last reboot of the servers.

For both domain controllers:

DCDIAG shows that both servers pass all tests except for DFSREvent (which just counts warnings/errors in the log over the past 24 hours).

REPADMIN / SHOWREPL shows5 directories/paths and they’re all listed as successful.

REPADMIN /QUEUE shows no replications queued.

NETDOM QUERY FSMO shows the PDC being Schema master, Domain naming master, PDC, RID pool manager, and Infrastructure master.

The remaining issues as I see them are:

About 45 minutes after the last restart, the primary DC logged two entries with Event ID 2092.  The secondary DC doesn’t have this event.  One is shown here (I’ve redacted our info as [SITE[ and [DOMAIN]):

Text

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role. 
 
Operations which require contacting a FSMO operation master will fail until this condition is corrected. 
 
FSMO Role: CN=Partitions,CN=Configuration,DC=[SITE],DC=[DOMAIN] 
 
User Action: 
 
1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476. 
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication. 
3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com. 
 
The following operations may be impacted: 
Schema: You will no longer be able to modify the schema for this forest. 
Domain Naming: You will no longer be able to add or remove domains from this forest. 
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts. 
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups. 
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

The Default Domain Policy GPO is still disabled.  I haven’t tried creating a new policy yet or changing other policies for fear of breaking network share services.

Both Domain Controllers have the proper time set.  In the Group Policy Management Console, if I look at the details for a GPO, both Domain Controllers say they are the baseline domain controller for this domain.  That is, on DC1 it says «DC1.SITE.domain is the baseline controller for this domain.», and on DC2 it says
«DC2.SITE.domain is the baseline controller for this domain.».  Is this relevant?

Any help would be appreciated.  I can post redacted DCDIAG or other logs as requested tomorrow, but DCDIAG and the other things I mentioned are now clean other than the DFSREvent test which just counts the number of events.

Do I need to worry about the FSMO 2092 Event on the PDC?
Should I try reimporting the Default Domain Policy GPO from a backup, or should I try creating it (or a blank/minimal GPO) from scratch first?
Any other ideas?

Thanks

Directory Server Diagnosis

Performing initial setup:

   Trying to find home server…

   Home Server = CAPRICORNFF

   * Identified AD Forest. 
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-NameCAPRICORNFF

      Starting test: Connectivity

         ……………………. CAPRICORNFF passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-NameCAPRICORNFF

      Starting test: Advertising

         ……………………. CAPRICORNFF passed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems. 
         ……………………. CAPRICORNFF passed test FrsEvent

      Starting test: DFSREvent

         ……………………. CAPRICORNFF passed test DFSREvent

      Starting test: SysVolCheck

         ……………………. CAPRICORNFF passed test SysVolCheck

      Starting test: KccEvent

         ……………………. CAPRICORNFF passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ……………………. CAPRICORNFF passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ……………………. CAPRICORNFF passed test MachineAccount

      Starting test: NCSecDesc

         ……………………. CAPRICORNFF passed test NCSecDesc

      Starting test: NetLogons

         ……………………. CAPRICORNFF passed test NetLogons

      Starting test: ObjectsReplicated

         ……………………. CAPRICORNFF passed test ObjectsReplicated

      Starting test: Replications

         ……………………. CAPRICORNFF passed test Replications

      Starting test: RidManager

         ……………………. CAPRICORNFF passed test RidManager

      Starting test: Services

         ……………………. CAPRICORNFF passed test Services

      Starting test: SystemLog

         An error event occurred.  EventID: 0x40000004

            Time Generated: 10/22/2018   11:14:35

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server capricornff$. The target name used was DNS/capricornff.fairfield.ac. This indicates that the target server failed to decrypt the ticket provided
by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server.
This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC
are both updated to use the current password. If the server name is not fully qualified, and the target domain (FAIRFIELD.AC) is different from the client domain (FAIRFIELD.AC), check if there are identically named server accounts in these two domains, or
use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x0000168F

            Time Generated: 10/22/2018   11:14:35

            Event String:

            The dynamic deletion of the DNS record ‘_kerberos._tcp.dc._msdcs.fairfield.ac. 600 IN SRV 0 100 88 CAPRICORNFF.fairfield.ac.’ failed on the following DNS server:  

         An error event occurred.  EventID: 0x0000168F

            Time Generated: 10/22/2018   11:14:35

            Event String:

            The dynamic deletion of the DNS record ‘_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.fairfield.ac. 600 IN SRV 0 100 88 CAPRICORNFF.fairfield.ac.’ failed on the following DNS server:  

         An error event occurred.  EventID: 0x0000168F

            Time Generated: 10/22/2018   11:14:35

            Event String:

            The dynamic deletion of the DNS record ‘_kerberos._tcp.fairfield.ac. 600 IN SRV 0 100 88 CAPRICORNFF.fairfield.ac.’ failed on the following DNS server:  

         An error event occurred.  EventID: 0x0000168F

            Time Generated: 10/22/2018   11:14:35

            Event String:

            The dynamic deletion of the DNS record ‘_kerberos._tcp.Default-First-Site-Name._sites.fairfield.ac. 600 IN SRV 0 100 88 CAPRICORNFF.fairfield.ac.’ failed on the following DNS server:  

         An error event occurred.  EventID: 0x0000168F

            Time Generated: 10/22/2018   11:14:35

            Event String:

            The dynamic deletion of the DNS record ‘_kerberos._udp.fairfield.ac. 600 IN SRV 0 100 88 CAPRICORNFF.fairfield.ac.’ failed on the following DNS server:  

         An error event occurred.  EventID: 0x0000168F

            Time Generated: 10/22/2018   11:14:35

            Event String:

            The dynamic deletion of the DNS record ‘_kpasswd._tcp.fairfield.ac. 600 IN SRV 0 100 464 CAPRICORNFF.fairfield.ac.’ failed on the following DNS server:  

         An error event occurred.  EventID: 0x0000168F

            Time Generated: 10/22/2018   11:14:35

            Event String:

            The dynamic deletion of the DNS record ‘_kpasswd._udp.fairfield.ac. 600 IN SRV 0 100 464 CAPRICORNFF.fairfield.ac.’ failed on the following DNS server:  

         An error event occurred.  EventID: 0x00000C8A

            Time Generated: 10/22/2018   11:14:39

            Event String:

            This computer could not authenticate with Portal.fairfield.ac, a Windows domain controller for domain FAIRFIELD, and therefore this computer might deny logon requests. This inability to authenticate might be caused
by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator.

         A warning event occurred.  EventID: 0x8000001D

            Time Generated: 10/22/2018   11:14:43

            Event String:

            The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved.
To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

         A warning event occurred.  EventID: 0x000003F6

            Time Generated: 10/22/2018   11:15:27

            Event String:

            Name resolution for the name fairfield.ac timed out after none of the configured DNS servers responded.

         A warning event occurred.  EventID: 0x80070003

            Time Generated: 10/22/2018   11:22:11

            Event String:

            VMDebug driver (version 7.3.4.7) was not enabled.  This driver is required by the replay debugging feature of VMware Workstation. If you are using other VMware products or not using replay debugging, please ignore
this message.

         A warning event occurred.  EventID: 0x8000001D

            Time Generated: 10/22/2018   11:23:12

            Event String:

            The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved.
To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

         A warning event occurred.  EventID: 0x000003F6

            Time Generated: 10/22/2018   11:23:45

            Event String:

            Name resolution for the name fairfield.ac timed out after none of the configured DNS servers responded.

         A warning event occurred.  EventID: 0x0000000C

            Time Generated: 10/22/2018   11:24:01

            Event String:

            Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in
the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the
authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

         An error event occurred.  EventID: 0xC0001B61

            Time Generated: 10/22/2018   11:24:29

            Event String:

            A timeout was reached (30000 milliseconds) while waiting for the Kaspersky Endpoint Security Service service to connect.

         An error event occurred.  EventID: 0xC0001B58

            Time Generated: 10/22/2018   11:24:30

            Event String:

            The Kaspersky Endpoint Security Service service failed to start due to the following error: 

         A warning event occurred.  EventID: 0x00000012

            Time Generated: 10/22/2018   11:27:18

            Event String:

            The Secure Socket Tunneling Protocol service either could not read the SHA256 certificate hash from the registry or the data is invalid. To be valid, the SHA256 certificate hash must be of type REG_BINARY and 32 bytes
in length. SSTP might not be able to retrieve the value from the registry due to some other system failure. The detailed error message is provided below. SSTP connections will not be accepted on this server. Correct the problem and try again. 

         An error event occurred.  EventID: 0x00004E8A

            Time Generated: 10/22/2018   11:27:20

            Event String:

            Unable to add the interface {36C8181F-08BE-474A-8C8D-3DA1CACC4D1F} with the Router Manager for the IPV6 protocol. The following error occurred: Cannot complete this function.

         An error event occurred.  EventID: 0x00004E8A

            Time Generated: 10/22/2018   11:27:20

            Event String:

            Unable to add the interface {9039BCB2-5312-4C6C-B0A7-C6FE0A2272D8} with the Router Manager for the IPV6 protocol. The following error occurred: Cannot complete this function.

         A warning event occurred.  EventID: 0x00004EE0

            Time Generated: 10/22/2018   11:27:20

            Event String:

            A certificate could not be found. Connections that use the L2TP protocol over IPsec  require the installation of a machine certificate, also known as a computer  certificate. No L2TP calls will be accepted.

         A warning event occurred.  EventID: 0x00004ECB

            Time Generated: 10/22/2018   11:27:20

            Event String:

            Failed to apply IP Security on port VPN2-2 because of error: A certificate could not be found.  Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as
a computer certificate..  No calls will be accepted to this port.

         A warning event occurred.  EventID: 0x00004ECB

            Time Generated: 10/22/2018   11:27:20

            Event String:

            Failed to apply IP Security on port VPN2-1 because of error: A certificate could not be found.  Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as
a computer certificate..  No calls will be accepted to this port.

         A warning event occurred.  EventID: 0x00004ECB

            Time Generated: 10/22/2018   11:27:20

            Event String:

            Failed to apply IP Security on port VPN2-0 because of error: A certificate could not be found.  Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as
a computer certificate..  No calls will be accepted to this port.

         A warning event occurred.  EventID: 0x00004ECB

            Time Generated: 10/22/2018   11:27:20

            Event String:

            Failed to apply IP Security on port VPN2-9 because of error: A certificate could not be found.  Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as
a computer certificate..  No calls will be accepted to this port.

         A warning event occurred.  EventID: 0x00004ECB

            Time Generated: 10/22/2018   11:27:20

            Event String:

            Failed to apply IP Security on port VPN2-8 because of error: A certificate could not be found.  Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as
a computer certificate..  No calls will be accepted to this port.

         A warning event occurred.  EventID: 0x00004ECB

            Time Generated: 10/22/2018   11:27:20

            Event String:

            Failed to apply IP Security on port VPN2-7 because of error: A certificate could not be found.  Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as
a computer certificate..  No calls will be accepted to this port.

         A warning event occurred.  EventID: 0x00004ECB

            Time Generated: 10/22/2018   11:27:20

            Event String:

            Failed to apply IP Security on port VPN2-6 because of error: A certificate could not be found.  Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as
a computer certificate..  No calls will be accepted to this port.

         A warning event occurred.  EventID: 0x00004ECB

            Time Generated: 10/22/2018   11:27:20

            Event String:

            Failed to apply IP Security on port VPN2-5 because of error: A certificate could not be found.  Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as
a computer certificate..  No calls will be accepted to this port.

         A warning event occurred.  EventID: 0x00004ECB

            Time Generated: 10/22/2018   11:27:20

            Event String:

            Failed to apply IP Security on port VPN2-4 because of error: A certificate could not be found.  Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as
a computer certificate..  No calls will be accepted to this port.

         A warning event occurred.  EventID: 0x00004ECB

            Time Generated: 10/22/2018   11:27:20

            Event String:

            Failed to apply IP Security on port VPN2-3 because of error: A certificate could not be found.  Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as
a computer certificate..  No calls will be accepted to this port.

         A warning event occurred.  EventID: 0x000727AA

            Time Generated: 10/22/2018   11:27:20

            Event String:

            The WinRM service failed to create the following SPNs: WSMAN/CAPRICORNFF.fairfield.ac; WSMAN/CAPRICORNFF. 

         A warning event occurred.  EventID: 0x000003F6

            Time Generated: 10/22/2018   11:33:58

            Event String:

            Name resolution for the name fairfield.ac timed out after none of the configured DNS servers responded.

         ……………………. CAPRICORNFF failed test SystemLog

      Starting test: VerifyReferences

         ……………………. CAPRICORNFF passed test VerifyReferences

   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ……………………. ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ……………………. ForestDnsZones passed test

         CrossRefValidation

   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ……………………. DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ……………………. DomainDnsZones passed test

         CrossRefValidation

   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ……………………. Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ……………………. Schema passed test CrossRefValidation

   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ……………………. Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ……………………. Configuration passed test CrossRefValidation

   Running partition tests on : fairfield

      Starting test: CheckSDRefDom

         ……………………. fairfield passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ……………………. fairfield passed test CrossRefValidation

   Running enterprise tests on : fairfield.ac

      Starting test: LocatorCheck

         ……………………. fairfield.ac passed test LocatorCheck

      Starting test: Intersite

         ……………………. fairfield.ac passed test Intersite