nschwend
asked on
error on NTDS SDPROP 2008 & 1262 in Directory Replication
Hello all,
I've a problem with my AD infrastucture! I've noticed that every 30 minutes in my event log there are the following errors:
Event Type: Error
Event Source: NTDS SDPROP
Event Category: Internal Processing
Event ID: 2008
Date: 26.03.2008
Time: 10:17:37
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SRVWDC001
Description:
Internal error: The security descriptor propagation task encountered an error while processing the following object. The propagation of security descriptors may not be possible until the problem is corrected.
Object:
CN=u-rail,OU=1Area,OU=Aree
Additional Data
Error value:
-1112 []
Internal ID:
2080490
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: NTDS SDPROP
Event Category: Internal Processing
Event ID: 1262
Date: 26.03.2008
Time: 10:17:37
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SRVWDC001
Description:
The security descriptor propagation task could not process a propagation event starting from the following container.
Container:
OU=1Area,OU=Aree,DC=webdew
As a result, the security descriptor propagation task will either suspend processing for thirty minutes or wait until a security descriptor has changed for any object.
User Action
Check the security descriptor on this container.
Additional Data
Error value:
20ef The directory service encountered an unknown failure.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
the user has only 4 mailboxes...
I already followed the suggestion you find http://www.eventid.net/display.asp?eventid=2008&eventno=3938&source=NTDS%20SDPROP&phase=1
but it doesn't work...
any suggestion?
thank you very much
Nick
I've a problem with my AD infrastucture! I've noticed that every 30 minutes in my event log there are the following errors:
Event Type: Error
Event Source: NTDS SDPROP
Event Category: Internal Processing
Event ID: 2008
Date: 26.03.2008
Time: 10:17:37
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SRVWDC001
Description:
Internal error: The security descriptor propagation task encountered an error while processing the following object. The propagation of security descriptors may not be possible until the problem is corrected.
Object:
CN=u-rail,OU=1Area,OU=Aree
Additional Data
Error value:
-1112 []
Internal ID:
2080490
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: NTDS SDPROP
Event Category: Internal Processing
Event ID: 1262
Date: 26.03.2008
Time: 10:17:37
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SRVWDC001
Description:
The security descriptor propagation task could not process a propagation event starting from the following container.
Container:
OU=1Area,OU=Aree,DC=webdew
As a result, the security descriptor propagation task will either suspend processing for thirty minutes or wait until a security descriptor has changed for any object.
User Action
Check the security descriptor on this container.
Additional Data
Error value:
20ef The directory service encountered an unknown failure.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
the user has only 4 mailboxes...
I already followed the suggestion you find http://www.eventid.net/display.asp?eventid=2008&eventno=3938&source=NTDS%20SDPROP&phase=1
but it doesn't work...
any suggestion?
thank you very much
Nick
Oops - there are some "BAD" Security Entries .... missed the word BAD!
ASKER
Hi Netman66,
thank you very much with your support but I don't understand what I've to check... the permissions?
thank you again!
Nick
thank you very much with your support but I don't understand what I've to check... the permissions?
thank you again!
Nick
ASKER
Hi Netman66,
I've checked the security on both OU and user and with someone that doesn't create trouble and it's the same.
I've checked the security on both OU and user and with someone that doesn't create trouble and it's the same.
If you put ADUC into Advanced View, then right click each of those OUs, look at the Security tab and compare them to another OU that in not under the "Aree" OU (not sure if that's a typo on your part).
ASKER
Hi NetMan66,
I checked again and all the security items are the same... :-(
I checked again and all the security items are the same... :-(
It's interesting that those links you posted all contain references to Exchange. Perhaps you should post a Question in the Exchange forum simply linking to this one. Ping Sembee there, he is the Exchange guru that may be able to help here.
I will also attempt to get him onboard here.
Sit tight.
I will also attempt to get him onboard here.
Sit tight.
ASKER
thanks man... I've posted a new thread in the exchange area...
https://www.experts-exchange.com/questions/23276943/POINTER-error-on-NTDS-SDPROP-2008-1262-in-Directory-Replication.html
Hope someone could help me!
Nick
https://www.experts-exchange.com/questions/23276943/POINTER-error-on-NTDS-SDPROP-2008-1262-in-Directory-Replication.html
Hope someone could help me!
Nick
I see no references to Exchange in the errors, only in the event ID entry. I would have to disagree that it is connected to Exchange unless there are further errors that tie it to Exchange. This looks like an AD error.
The advice I would give is to call Microsoft. There is very little on this error that I can find, therefore that means it is something unusual. Microsoft can do the one thing that we cannot - and that is look at your actual server. I suspect that there is something wrong with the AD.
Simon.
The advice I would give is to call Microsoft. There is very little on this error that I can find, therefore that means it is something unusual. Microsoft can do the one thing that we cannot - and that is look at your actual server. I suspect that there is something wrong with the AD.
Simon.
Did you take a look at the Event ID link for these?
That's what's got me confused.
That's what's got me confused.
I don't know if this will help.
I put on Mozilla thunderbird as my mail client. Then, I created profiles for individual folks that are using Thunderbird. The client then logs on to his/her AD profile using Domain credentials. The domain credentials are not located on the local computer.
So, the email profile that mozilla creates, was created by the domain administrator and the local user can't opent the folder for the email profile. Why, you ask, "because the security descriptor doesn't match the email profile".
All you have to do is this:
Put the AD username and password for this client in the client's list of users. Then, make sure they have permissions for their own email profile folder on the local machine.
Like I say, I don't know if this is your problem. But, it's worth a shot.
I put on Mozilla thunderbird as my mail client. Then, I created profiles for individual folks that are using Thunderbird. The client then logs on to his/her AD profile using Domain credentials. The domain credentials are not located on the local computer.
So, the email profile that mozilla creates, was created by the domain administrator and the local user can't opent the folder for the email profile. Why, you ask, "because the security descriptor doesn't match the email profile".
All you have to do is this:
Put the AD username and password for this client in the client's list of users. Then, make sure they have permissions for their own email profile folder on the local machine.
Like I say, I don't know if this is your problem. But, it's worth a shot.
I did look at the event ID link that was posted, which was connected to Exchange, but the errors posted above are not.
Simon.
Simon.
ASKER
Hello all,
I checked th chiefIT's suggestion but everything fine...
I'm still without a working solution...
please help me!
Nick
I checked th chiefIT's suggestion but everything fine...
I'm still without a working solution...
please help me!
Nick
I may have made a mistake on my last, The 'users' will need full permissions on their own email profile and the permissions will need to be passed down to all child objects. Otherwise, the email client software will not work as you wished, if you originally created their profile as an administrator.
Just wante to make sure the idea was passed on in a clear fashion.
Just wante to make sure the idea was passed on in a clear fashion.
ASKER
Hi ChiefIT, thank you for your answer. The user has full control on his email account...
thank you
Nick
thank you
Nick
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Interesting. Thanks for the update.
ASKER
As I suggested before the problem has gone...
thanks all for your support.
Nick
thanks all for your support.
Nick
Thanks for sharing your solution!
Cheers,
NM
Cheers,
NM
Closed, 500 points refunded.
Vee_Mod
Experts Exchange Moderator
Vee_Mod
Experts Exchange Moderator
I think I'd start with 1Area - there may be a Delegation issue or someone could have removed some needed ACEs. Check this against another OU that is NOT in this OU tree.