Microsoft KB Archive/914036

= Windows Server 2003-based domain controllers show a decrease in performance when they process certain Active Directory objects =

Article ID: 914036

Article Last Modified on 10/11/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Standard x64 Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems

-



SYMPTOMS
On Microsoft Windows Server 2003-based domain controllers, you may experience the following issues:   You may receive Event IDs that resemble the following in the Directory Service event log: Event Type: Error

Event Source: NTDS SDPROP

Event Category: (9)

Event ID: 2008

Description: Internal error: The security descriptor propagation task encountered an error while processing the following object. The propagation of security descriptors may not be possible until the problem is corrected. Object:

Additional Data Error value: -1112 [] Internal ID: 2080495 Note A Jet error -1112 is logged on domain controllers that run on a Microsoft Windows 2000 forest functional level. Event Type: Error

Event Source: NTDS SDPROP

Event Category: Internal Processing

Event ID: 2008

Description: Internal error: The security descriptor propagation task encountered an error while processing the following object. The propagation of security descriptors may not be possible until the problem is corrected. Object:  Additional Data Error value: -1026 JET_errRecordTooBig, Record larger than maximum size Internal ID: 20903d5 Note A Jet error -1026 is logged on domain controllers that run on a Windows Server 2003 interim forest functional level or on a higher level. Event Type: Error

Event Source: NTDS Replication

Event Category: Replication

Event ID: 1699

Date:

Time:

User:

Computer:

Description: The local domain controller failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send the change requests to the domain controller at the following network address.

Directory partition:

Network address:

Extended request code: 0

Additional Data

Error value: 8442

The replication system encountered an internal error.

The only partition that is failing to replicate is the  partition. Event Type: Warning

Event Source: NTDS General

Event Category: Internal Processing

Event ID: 1173

Date:

Time:

User:

Computer:

Description:

Internal event: Exception e0010002 has occurred with parameters 8442 and 20a0 (Internal ID 11003a1). Note The event Internal ID value will vary with the Windows operating system, the service pack, and the hotfix revisions of the binary that logged the event.  Domain controllers cannot replicate outgoing Active Directory partitions that are described in the 1699 event. Domain controllers experience high processor usage for the Lsass.exe process. The performance of the domain controllers decreases immediately after you perform a system state restore.



CAUSE
The issues mentioned the &quot;Symptoms&quot; section may occur when there are many proxy addresses under the Active Directory objects that are referenced in the events. Each of these objects has a non-linked multivalued attribute. When the values of these non-linked attributes exceed the maximum attribute limit for the forest functional level, the server cannot process the object.

The Microsoft Exchange Recipient Update Service checks existing proxy addresses on recipient objects to verify that they match the proxy addresses that are specified by the recipient policies. If they do not match, the recipient policy proxy addresses are added to the recipient object. Certain formats of existing proxy addresses are incorrectly evaluated as not matching. This behavior causes the Recipient Update Service to add more proxy addresses.



RESOLUTION
To resolve the issues that are described in the &quot;Symptoms&quot; section, use one or more of the following methods.

Method 1
You can install the 834349 and the 835894 hotfixes to resolve this issue. For more information about the 834349 hotfix, click the following article number to view the article in the Microsoft Knowledge Base:

834349 The Exchange Server 2003 Recipient Update Service continually updates some recipients or public folders with random SMTP proxy addresses

For more information about the 835894 hotfix, click the following article number to view the article in the Microsoft Knowledge Base:

835894 The Exchange Recipient Update Service creates multiple recipient proxy addresses of the same type

Method 2
You can create an LDAP Data Interchange Format (LDIF) dump file for the Active Directory objects that you see in the 2008 event to determine the values for the attributes of the object.

If you find any attribute values that exceed the maximum forest functional level value, you can reduce or remove the values for the attributes after you determine the root cause of the increase in values.

Create an LDIF dump file to find the attribute values
For example, to create an LDIF dump file and to find the attribute values for an object that has the &quot;CN=object1,CN=Microsoft Exchange System Objects,DC=Contoso,DC=Com&quot; distinguished name (DN) path, follow these steps:  Click Start, click Run, type cmd, and then click OK.</li> At the command prompt, type the following, and then press ENTER:

ldifde -f Attribfile.txt -d &quot;CN= ,CN=Microsoft Exchange System Objects,DC=Contoso,DC=Com&quot;

</li> After you run the command successfully, type exit, and then press ENTER to close the Command Prompt window.</li> After you create the Attribfile.txt LDIF dump file, locate the Attribfile.txt file, and then open the file by using Notepad.</li> Look for attributes that have values that might exceed the maximum value that is supported by the functional level in your forest.</li> If you find any attributes, copy the values for those attributes to a Microsoft Excel spreadsheet.</li> Count the number of rows or count the number of characters that are used to delimit each unique value in the attribute.</li> Note the attribute names for the objects that have values that exceed the maximum limit.</li></ol>

Remove or reduce the values for an attribute
Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

Note The ADSI Edit tool is included in the Windows Server 2003 Support Tools that are provided in the Windows Server 2003 CD. To install Windows Server 2003 Support Tools, run the Suptools.msi file from the \SUPPORT\TOOLS folder in the Windows Server 2003 CD.

To remove or reduce the values for an attribute, you can use the ADSI Edit tool. To use this tool, follow these steps: <ol> Click Start, click Run, type adsiedit.msc, and then click OK.</li> In the ADSI Edit Microsoft Management Console (MMC) snap-in, expand the Domain node.</li> Locate and then click the container node that contains the Active Directory object that you noted in the Event ID 2008 that is mentioned in the &quot;Symptoms&quot; section.&quot;</li> In the right-pane, double-click the object to open the object properties dialog box.</li> In the Attributes list, locate the attribute names that you noted in step 8 of the &quot;Create an LDIF dump file to find the attribute values&quot; section.</li> After you locate the attributes, modify the attribute values one at a time. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> Double-click the first attribute that you noted.</li> In the Values list, click a value, and then click Remove.</li> Repeat step 6b for other values, as appropriate for your situation.</li> <li>Click OK to close the attribute properties dialog box.</li></ol> </li> <li>Repeat step 6 for the other attributes that you noted in the Attributes list in step 5.</li> <li>Click OK to close the object properties dialog box.</li> <li>On the File menu, click Exit to close the ADSI Edit tool.</li></ol>

Note If the attribute limit is for DNS or NS record registrations, try removing some of the unwanted DNS records from the server to see whether you can reduce the number of attribute values. If this is not successful, try to restrict SRV and NS record registrations. For more information, see the &quot;References&quot; section.

Method 3
Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

You can use the ADSI Edit snap-in to remove unwanted SMTP addresses (proxy addresses) for specific Active Directory objects. To do this, follow these steps:
 * 1) Open Exchange System Manager.
 * 2) Expand Recipients, and then click Recipient Update Services.
 * 3) In the right pane, double-click Recipient Update Service (Enterprise Configuration).
 * 4) In the Update interval list, click Never Run, and then click OK.
 * 5) Close Exchange System Manager.
 * 6) Click Start, click Run, type adsiedit.msc, and then click OK.
 * 7) In the ADSI Edit Microsoft Management Console (MMC) snap-in, expand the Domain node.
 * 8) Locate and then click the container node that contains the Active Directory object that you noted in Event ID 2008. This is the Event ID that is mentioned in the &quot;Symptoms&quot; section.&quot;
 * 9) In the right-pane, double-click the object to open the object properties dialog box.
 * 10) In the Attributes list, double-click proxyAddresses.
 * 11) Remove all the unwanted values from the Values list.
 * 12) Click OK to close the attribute properties dialog box.
 * 13) Click OK to close the object properties dialog box.
 * 14) On the File menu, click Exit the ADSI Edit snap-in.
 * 15) Open Exchange System Manager.
 * 16) Expand Recipients, and then click Recipient Update Services.
 * 17) In the right pane, double-click Recipient Update Service (Enterprise Configuration).
 * 18) In the Update interval list, click Always Run, and then click OK.
 * 19) Right-click Recipient Update Service (Enterprise Configuration), and then click Update Now.
 * 20) Right-click Recipient Update Service (Enterprise Configuration), and then click Rebuild.
 * 21) In the Rebuild Address Lists and Recipient Policies dialog box, click Yes.
 * 22) Exit Exchange System Manager.

Method 4
You can follow the procedure that is described in the following Microsoft Knowledge Base article to remove unwanted proxy addresses:

318774 Removing duplicate and unwanted proxy addresses in Exchange

<div class="moreinformation_section">

MORE INFORMATION
The limit for the multivalued object in a non-linked attribute in the Active Directory directory service is defined by the operating system version and by its forest functional level. Windows Server 2003 increases the maximum numeric value that can be stored in a non-linked attribute.

The following table contains estimates of the maximum value that can be stored in a non-linked attribute in Windows 2000 Server and in Windows Server 2003.

Note The actual value of a non-linked attribute varies depending on the length of characters and on the length of character sets in Active Directory.

<div class="references_section">