Solved

Windows 2003 replication error

Posted on 2010-09-21
8
1,773 Views
Last Modified: 2012-05-10
I am seeing errors with one particular domain controller (win2003)

DC=mydomain,DC=com
    yah\DC00 via RPC
        DSA object GUID: 8a784cb6-8b0f-4980-a0a8-8acf6593b5bb
        Last attempt @ 2010-09-21 16:40:33 failed, result 8304 (0x2070):
            The maximum size of an object has been exceeded.
        26911 consecutive failure(s).
        Last success @ 2010-09-03 13:51:27.
    mydomain\DC03 via RPC
        DSA object GUID: 99586208-7010-4a45-b287-260f64570904
        Last attempt @ 2010-09-21 16:41:10 failed, result 8304 (0x2070):
            The maximum size of an object has been exceeded.
        25176 consecutive failure(s).
        Last success @ 2010-09-03 13:51:37.



number of errors in the event log

why is this?
0
Comment
Question by:shankshank
8 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33730482
what are the events you are seeing, is this only happening on one DC?
0
 
LVL 13

Accepted Solution

by:
rhinoceros earned 100 total points
ID: 33731165
>>Last attempt @ 2010-09-21 16:40:33 failed, result 8304 (0x2070):
>> The maximum size of an object has been exceeded.

I supposed "Windows Error 0x00002070 - 8304"
The maximum size of an object has been exceeded.
ERROR_DS_MAX_OBJ_SIZE_EXCEEDED

Active Directory KB 8304
http://kb.monitorware.com/kbeventdb-detail-id-4648.html

How To Fix Error 8304 - Error Code 0x2070
http://www.wmpub.com/error8304_errorcode0x2070.php
http://www.windows-error-repair.org/error-code/8304.html
0
 
LVL 5

Author Comment

by:shankshank
ID: 33737873
yeah only one DC is seeing this. it's strange.
0
 
LVL 5

Author Comment

by:shankshank
ID: 33773642
yeah definitely not replicating...
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 5

Author Comment

by:shankshank
ID: 33773663
Error value:
8304 The maximum size of an object has been exceeded.
0
 

Expert Comment

by:dmoecolorado
ID: 34062275
Any luck with this error ?

I am also experiencing it on 3 out of 15 Domain Controllers - the three are all members in the same AD site.
0
 
LVL 5

Author Comment

by:shankshank
ID: 34167621
i deleted some objects that were not replicating and that seemed to fix it..
0
 

Assisted Solution

by:dmoecolorado
dmoecolorado earned 400 total points
ID: 34483600
This was quite a process to clean this issue up.

As it turned out, our issue was ultimately casued due to a third party softwares population of the "proxyaddresses" attribute of a paticular AD object.

I have included the resolution in the hopes that this may provide assistance for someone in the future.

Thank you everyone for your input.

David

--------------------------------------

It was my pleasure to assist you during your issue “AD replication error :- (8304) The maximum size of an object has been exceeded "

Here is a summary of the key points of the case for your records.


PROBLEM:       AD replication error :- (8304) The maximum size of an object has been exceeded

RESOLUTION:
1)  Initially when the case was opened we were getting errors in Repadmin /replsum as “(8304) The maximum size of an object has been exceeded” for xxxxx Site.

2) When checked the replication part we found that we were getting errors for Configuration partition replication However we had issues with Domain partition replication as well.

3) We checked and found that we were getting event ID 2042 on all the domain controllers stating that the domain controllers were in Tombstoned state.

4) We created a Registry key on all the DC’s  as “Allow replication with divergent and corrupt partner” at HKEY- Local-machine\System\CurrentControlSet\Services\NTDS\Parameters

5) We forced the replication and we found that we started getting event ID’s 1566, 1311 and 1864 for KCC events.

6) When went through the entire topology we found that we had “Hub and Spoke Topology” where “xxxxx Site” being the Hub site but that wasn’t configured properly.

7) Hence we configured the Hub and Spoke topology correctly and we deleted all the KCC connection objects from on the DC’s from Active directory sites and services.

8) We ran repadmin /KCC * to create connection objects with all the domain controllers.

9) Now when we ran Repadmin /syncall /AePd to force the replication we got the same “8304 error” for configuration partition replication.

10) We took LDIFDE dump for configuration partition from <your-domain-controller> (bad server)  in order to take that dump we ran:- ldifde –f ldifde.ldf –d “CN=Configuration,Dc=<your-domain>,dc=com”.

11) We found that an object with DN path :-  CN=Microsoft System Attendant\0ADEL:4b9b5f23-95a0-4f6c-86c6-25f0985c62b1,CN=Deleted Objects,CN=Configuration,DC=<your-domain>,DC=com had an attribute name “ProxyAddresses” had multiple instances (upto 1257 in counts) and was not getting removed as it was in Deleted objects container but “ISdeleted” flag was not stamped on the attribute.
The attribute looked like:-
proxyAddresses: RFAX:Microsoft System Attendant86588@
proxyAddresses: rfax:Microsoft System Attendant41572@
proxyAddresses: rfax:Microsoft System Attendant62092@
proxyAddresses: rfax:Microsoft System Attendant61108@
proxyAddresses: rfax:Microsoft System Attendant81626@
proxyAddresses: rfax:Microsoft System Attendant36610@
proxyAddresses: rfax:Microsoft System Attendant57130@
proxyAddresses: rfax:Microsoft System Attendant56146@
proxyAddresses: rfax:Microsoft System Attendant76664@
proxyAddresses: rfax:Microsoft System Attendant31648@
proxyAddresses: rfax:Microsoft System Attendant52168@
proxyAddresses: rfax:Microsoft System Attendant72686@
proxyAddresses: rfax:Microsoft System Attendant71702@
proxyAddresses: rfax:Microsoft System Attendant26686@
proxyAddresses: rfax:Microsoft System Attendant47206@
proxyAddresses: rfax:Microsoft System Attendant67724@
proxyAddresses: rfax:Microsoft System Attendant66742@

   
12) Hence It wasn’t getting removed. We tried changing the Isdeleted attribute for that object using LDP.exe tool but it failed with “constrained violation error” as it was deleted object container.

13)  We also found that few of the domain controllers doesn’t have the registry key named “Strict replication consistency” at HKEY-Local-machine\System\CurrentControlSet\Services\NTDS\Parameters.
Note:- “strict replication consistency” is the key that is responsible for protecting the domain controllers from replicating Lingering Objects.

14) Hence we created “strict Replication Consistency” on all the domain controllers.

15) Now when forced replication using repadmin /syncall /AePd we started getting “Event ID 1988” For lingering Objects.

16) Hence we  ran following command to get rid of lingering objects on all the domain controllers:

repadmin /removelingeringobjects <your-domain-controller> 577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com

17)  Now we were not getting “Event ID 1988” anymore and Domain partition was getting replicated across the domain.

18)  But we were still getting event ID “8304 The maximum size of an object has been exceeded” when ran repadmin /replsum.

19)  Hence we took the LDifde dump from <your-domain-controller>by running :- ldifde -f good.ldf -s <your-domain-controller> -d "CN=Configuration,DC=<your-domain>,DC=com" -r (objectclass=exchangeadminservice) -x -p subtree -l "replpropertymetadata,objectguid,repluptodate" -1

20) From the output of the above command we found that object with DN “CN=Microsoft System Attendant\0ADEL:4b9b5f23-95a0-4f6c-86c6-25f0985c62b1,CN=Deleted Objects,CN=Configuration,DC=<your-domain>,DC=com” was located in Lost and found container on <your-domain-controller> whereas when ran the same command on <your-other-domain-controller> we found that it was there in deleted object container.

21)  We went to <your-domain-controller>and we opened Adsiedit.msc and we found that object in lost and found container and we went to the properties of “CN=Microsoft System Attendant\0ADEL:4b9b5f23-95a0-4f6c-86c6-25f0985c62b1,CN=Deleted Objects,CN=Configuration,DC=<your-domain>,DC=com” and found “proxyaddresses” there.

22)  We removed all 1257 entries manually and forced replication from “<your-domain-controller>” and the information got replicated to all the Dc’s and those multiple instances got removed from all other Dc’s as well. And now when we ran repadmin /replsum we do not see any more errors.

Conclusion:- After reviewing all the logs collected from your environment we’ve found that the issue was caused by “RightFax Software” and that stamped multiple “Proxyaddresses” to that object and The reason why we cannot delete it from <your-domain-controller> is that the object is too big and isdeleted flag wasn’t stamped on that object.

Related Articles:-

¿      Windows Server 2003-based domain controllers show a decrease in performance when they process certain Active Directory objects:-  :-http://support.microsoft.com/default.aspx?scid=kb;EN-US;914036

0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to prioritize LOGONSERVER for clients? 1 35
AD lockouts-AdAudit Plus 7 30
ADFS Redirection 4 31
Identify disabled AD users with PowerShell 6 34
Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now