Microsoft KB Archive/837932

= Event ID 2108 and Event ID 1084 occur during inbound replication of Active Directory in Windows 2000 Server and in Windows Server 2003 =

Article ID: 837932

Article Last Modified on 11/1/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Advanced Server

-





SYMPTOMS
When inbound replication of the Active Directory directory service occurs, a destination domain controller that is running Microsoft Windows 2000 Server or Microsoft Windows Server 2003 may log the following event: Event Type: Error Event Source:  NTDS Replication Event Category: Replication Event ID:  1084 Description: Internal event: Active Directory could not update the following object with changes received from the following source domain controller. This is because an error occurred during the application of the changes to Active Directory on the domain controller.

Object: distinguished_name_path_of_object_that_failed_to_write_to_local_database Object GUID: 32_character_alpha-numeric_object_GUID Source domain controller:object_GUID_for_source_domain_controller's_NTDSDSA_object._msdcs.forest root domain Synchronization of the local domain controller with the source domain controller is blocked until this update problem is corrected. This operation will be tried again at the next scheduled replication. User Action Restart the local domain controller if this condition appears to be related to low system resources (for example, low physical or virtual memory). Additional Data Error value: 8409 A database error has occurred. Destination domain controllers that are running Windows Server 2003 Service Pack 1 (SP1) may also log the following event: Event Type:   Error Event Source:  NTDS Replication Event Category: Replication Event ID:  2108

Description: This event contains REPAIR PROCEDURES for the 1084 event which has previously been logged. This message indicates a specific issue with the consistency of the Active Directory database on this replication destination. A database error occurred while applying replicated changes to the following object. The database had unexpected contents, preventing the change from being made. Object:distinguished_name_path_of_object_that_failed_to_write_to_local_database Object GUID: 32_character_alpha-numeric_object_GUID

Source domain controller: object_GUID_for_source_domain_controller's_NTDSDSA_object &gt;._msdcs.&lt;forest_root_domain



CAUSE
These events occur when the domain controller cannot write a transactional change to the local copy of the Active Directory database.



RESOLUTION
To resolve this problem, follow these steps. Retry the replication operation after each step that makes a change.  Make sure that sufficient free disk space is available on the volumes that host the Active Directory database, and then retry the operation. Follow these steps to free additional disk space:  Move unrelated files to another volume. Perform a system state backup. This process reduces the size of the transaction log files. For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

240363 How to use the backup program to back up and restore the system state in Windows 2000

326216 How to use the backup feature to back up and restore data in Windows Server 2003

 Perform an offline defragmentation of Active Directory. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

232122 Performing offline defragmentation of the Active Directory database

 </li> Make sure that the physical drives that host the Ntds.dit file and the transaction log files do not have NTFS file system compression turned on. To confirm this, right-click the drive letter in My Computer, and then make sure that the Compress drive to save disk space check box is not selected.</li> Make sure that the physical drives that host the Ntds.dit file and the transaction log files are specifically excluded from remote and local antivirus programs. See your antivirus software documentation for more information.</li>  If the destination domain controller contains the global catalog, and the error occurs in one of the read-only partitions, use one of the following methods to help resolve the problem:

Method 1
Use the rehost option of the Repadmin.exe tool to rehost the affected partition. The Repadmin.exe tool is included with Windows Server 2003 SP1. To do this, type the following at a command prompt, where  is the name of the destination domain controller, and   is the name of another domain controller:

repadmin /rehost

Method 2
To configure the domain controller so that it is no longer a global catalog server, follow these steps:  Click Start, point to Administrative Tools, and then click Active Directory Sites and Services.</li> Locate the Default-First-Site-Name\Servers\ \NTDS Settings subtree.</li> Right-click NTDS Settings, and then click Properties.</li> Click to clear the Global Catalog check box. Click OK.</li></ol>

Method 3
If the error occurs in a program partition, use the Ntdsutil.exe tool to change the replica that hosts the program partition. For more information about Active Directory Directory Services Maintenance Utility (Ntdsutil.exe), visit the following Microsoft Web site:

http://technet2.microsoft.com/windowsserver/en/library/819bea8b-3889-4479-850f-1f031087693d1033.mspx

</li> Use a third-party utility, such as the FileMon utility, to determine if a program or a user is accessing the Active Directory database, the transaction log files, or the Edp.tmp file. If file access activity exists, stop the services that are responsible for the activity. For more information about the FileMon utility, visit the following Sysinternals Web site:

http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx

</li> Determine if the problem is related to the parent of the Active Directory object on the destination domain controller. To do this, follow these steps:  On the source domain controller, temporarily move the object that is referenced in Event ID 1084 to an organizational unit (OU) container. The OU must be unrelated to the current container. For example, move the object to a new container off the root of the domain.</li> If replication is completed after you move the object, move the object back to its original container.</li> Force the security descriptor propagator to rebuild the object container ancestry in the database that exists on both the source and destination domain controllers. To do this, follow these steps:  Make sure that the Windows Server 2003 Support Tools are installed. The Support Tools are available on the Windows Server 2003 CD-ROM in the Support\Tools folder. Double-click the Suptools.msi file to install the tools.</li> <li>Click Start, click Run, type ldp, and then click OK.</li> <li>Click Connection, click Connect, and then type the name of the server that you want to connect to. You will connect over port 389 for Active Directory.</li> <li>Click Connection, click Bind, and then type your administrative user name, password, and domain. (You must use domain administrator or enterprise administrator credentials.) Click OK.</li> <li>On the Browse menu, click Modify. Leave the DN text box blank. In the Attribute text box, type FixUpInheritance. Click Yes in the Value text box.</li> <li>In the Operation area, click Add.</li> <li>Click Enter to populate the Entry List area. [Add]fixupinheritance:yes appears in the Entry List area.</li> <li>Click Run. The right pane shows a &quot;Modified&quot; status, and the security descriptor propagator starts. The runtime for the security descriptor propagator depends on the size of the Active Directory database. The process is complete when the DS Security Propagation Events counter in the NTDS Performance object returns to zero.</li> <li>Click Close, click Connection, and then click Exit.</li></ol> </li></ol>

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

251343 Manually initializing the SD propagator thread to evaluate inherited permissions for objects in Active Directory

</li> <li>On the source domain controller, type repadmin /showmeta at a command prompt, and then view the object metadata for the distinguished name path that is referenced in Event ID 1084. Repeat this step on the destination domain controller. Look for inconsistent values that include, but are not limited to, the following: <ul> <li>Incorrect names and numbers of attributes that appear on the object</li> <li>Incorrect originating time or date stamps</li> <li>Incorrect local update sequence numbers (USN)</li></ul>

Incorrect values may indicate a problem with the database page that hosts the object.

To use the Repadmin.exe tool when the distinguished name path refers to a live object, type the following at a command prompt:

repadmin /showmeta

If the object is in a deleted objects container or if you cannot use the Repadmin.exe tool to find the object, use the object's GUID reference to find the object. This GUID is referenced in Event ID 1084. To do this, type the following at a command prompt:

repadmin /showmeta  “ &quot;

For example, if Event ID 1084 and Event ID 2108 reference an object where the GUID is b49cd496-98a2-4500-bb08-58550c2f79ac, type:

repadmin /showmeta &quot; &quot;

Note The quotes are required.</li> <li>Obtain the most recent Ntdsutil.exe tool by installing the latest service pack for your operating system. Use the Ntdsutil.exe tool to perform an integrity check of the Active Directory database on the source domain controller.

Before you start the computer in Directory Services Restore Mode, obtain the password for the offline administrator account. If you do not know the administrator account password, reset the Directory Services Restore Mode password before you start in this mode. On domain controllers that are running Windows 2000 Service Pack 2 (SP2) and later, use the Setpwd.exe command. The Setpwd.exe command is located in the %Systemroot%\System32 folder. On Windows Server 2003-based domain controllers, use the Ntdsutil Set Directory Services Restore Mode Password command. For more information about Directory Services Restore Mode, click the following article number to view the article in the Microsoft Knowledge Base:

258062 &quot;Directory Services cannot start&quot; error message when you start your Windows-based or SBS-based domain controller

For more information about how to change the password in Windows 2000 Server, click the following article number to view the article in the Microsoft Knowledge Base:

239803 How to change the Recovery Console administrator password on a domain controller

For more information about how to change the password in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

322672 How to reset the Directory Services Restore Mode administrator account password in Windows Server 2003

</li> <li>Restart the source domain controller, and then press F8 to start Directory Services Restore Mode. At the command prompt, type ntdsutil files integrity, and then press ENTER. This command confirms the integrity of the database. <ul> <li>If the Ntdsutil tool reports that the database is corrupted, and you have replicas of the naming contexts on the source domain controller, force a demotion of the source domain controller, and then re-promote it after you verify the integrity of the drivers, the firmware, and the physical drives that host the Active Directory database and the transaction log files.</li> <li>If the database is corrupted, and no replicas of the naming context on the source domain controller exist, restore the newest system state. Use the NTDSutil.exe tool to confirm the integrity of the database again. If you still receive a corruption message, restore older backups until you can confirm the integrity of the domain controller.</li> <li>If the database is still corrupted, restore the most recent system state backup, and then, at a command prompt, type:

ntdsutil files recover

Use the NTDSutil.exe tool confirm the integrity of the database again. If the database passes the integrity check, perform an offline defragmentation of the disk partition. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

232122 Performing offline defragmentation of the Active Directory Database

To perform an integrity check of the database, type the following at a command prompt, and then press ENTER, where  is the name of the Active Directory database:

esentutl.exe /g

Finally, use the Start Windows Normally option to restart the computer, and then retry replication from the source domain controller to the affected destination domain controller. If the database fails the integrity check, the domain controller must be discontinued. You use the Active Directory Migration Tool (ADMT) to migrate objects. You can also use the Ldifde.exe and Csvde.exe tools to export objects that you will import to a new destination domain controller. For more information about how to use the ADMT, click the following article numbers to view the articles in the Microsoft Knowledge Base:

326480 How to use Active Directory Migration Tool Version 2 to migrate from Windows 2000 to Windows Server 2003

For more information about how to use the Ldifde.exe and Csvde.exe tools, click the following article numbers to view the articles in the Microsoft Knowledge Base:

237677 Using LDIFDE to import and export directory objects to Active Directory

327620 How to use Csvde to import contacts and user objects into Active Directory

298882 The new command-line tools for Active Directory in Windows Server 2003

</li></ul> </li> <li>If these steps do not succeed, and the replication error continues, demote the domain controller, confirm the integrity of the physical drives and the volumes that host the Ntds.dit file and the disk subsystem, and then promote the domain controller again. Use the same computer name.</li> <li>Use the ntdsutil files compact command to perform an offline defragmentation of the Active Directory database. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

232122 Performing offline defragmentation of the Active Directory Database

</li> <li>At the command prompt, type ntdsutil &quot;semantic database analysis&quot; &quot;go&quot;, and then press ENTER.

Note The quotation marks in this example are required to run the semantic database analysis command by using a single command line argument.

If errors are reported, type ntdsutil go fixup, and then press ENTER.

Note The semantic database commands do not perform lossy repairs on Active Directory databases like the pre-Windows Server 2003 Service Pack 1 Ntdsutil File Repair or Esentutl /p commands.</li></ol>

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Additional query words: TombstoneLifeTime DC Transactional

Keywords: kbbug kbactivedirectory kbserver kbglobalcatalog kbtshoot kbeventlog kbevent kbperformance kbhardware kbmisctools KB837932

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.