Article ID: 306091
Article Last Modified on 10/11/2007
APPLIES TO
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
- Microsoft Windows Server 2003, Standard x64 Edition
- Microsoft Windows Server 2003, Enterprise x64 Edition
- Microsoft Windows Server 2003, Datacenter x64 Edition
- Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
- Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
This article was previously published under Q306091
SUMMARY
Simultaneous changes against Active Directory object attributes on different domain controllers may cause an Active Directory collision for the update. When this occurs, NTDS replication warnings 1083 or 1061, or SAM error ID 12294 may be logged.
MORE INFORMATION
The following events may be logged if immediate replication is triggered (for example, by an urgent replication for a user lockout condition) and collides with the local Active Directory update:
This indicates that the unsuccessful attempt of the remotely triggered update that will be retried later:
If advanced NTDS logging is enabled, the following error ID may also be logged:
If NTDS logging is set to 4 (Verbose) or higher in the Replication Events entry of the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Diagnostics\
subkey, the following error ID may also be logged:
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
285858 Error message: The replication system encountered an internal error
If the remotely triggered update wins against the local update, the following system event may be logged for a user account lockout:
You must analyze the error data to receive the correct error condition. DWord data hexadecimal 0xc00002a5 = decimal -1073741147: STATUS_DS_BUSY, ntstatus.h).
After the warnings, an NTDS information event is logged that reports that the queued update has already been made (with the same version ID) and is be ignored as redundant:
When this condition exists, no replication error has occurred. Active Directory is consistent and you can safely ignore the resulting event logs.
On a computer that is running Microsoft Windows Server 2003, you can also determine whether a replication error has occurred by exporting the replication meta-data of the object. To do this, run the following command at a command prompt:
repadmin /showobjmeta domainController
objectDN
Note In this command, make the following replacements for the placeholders:
- Replace the
domainController
placeholder with the host name of a domain controller. - Replace the
objectDN
placeholder with the distinguished name of the affected object.
In the output that this command generates, match the last update times of the attribute to the times that the events were logged. From this information, you can determine which attribute caused the replication error.
Generally, you experience this problem with the lockoutTime attribute or with one of the password attributes. In these cases, you can safely ignore the events. The events occur because the change that occurs on the primary domain controller (PDC) is also written to the local domain controller. At the same time, the change is replicated among the domain controllers. For lockoutTime, the change is replicated urgently in the site of the PDC.
A list of changes for which you may experience a replication collision is found in the following Knowledge Base article:
232690 Urgent replication triggers in Windows 2000
Because of the short replication notification intervals that you can have in Microsoft Windows Server 2003, you may experience a replication collision in the same site of the PDC. Password changes are one example of a scenario in which you may experience a replication collision. This behavior occurs because a domain controller forwards new passwords to the PDC. Both the PDC and the local domain controller then replicate the changed password information. Therefore, a replication collision may occur on another domain controller in the same site. For more information about replication notification, click the following article number to view the article in the Microsoft Knowledge Base:
214678 How to modify the default intra-site domain controller replication interval
To help reduce the generation of replication collision events, configure the PDC in a site that does not have other domain controllers or client computers. In this scenario, the PDC does not urgently replicate updates that it receives. Therefore, you may reduce the risk of replication collisions. In a large domain, you can use this method to help reduce the load on the PDC. For more information about "piling on" scenarios, click the following article number to view the article in the Microsoft Knowledge Base:
305027 Summary of "piling on" scenarios in Active Directory domains
Keywords: kberrmsg kbinfo kbnofix kbfaq KB306091