Solved

Windows 2003 replication error

Posted on 2010-09-21
8
1,754 Views
Last Modified: 2012-05-10
I am seeing errors with one particular domain controller (win2003)

DC=mydomain,DC=com
    yah\DC00 via RPC
        DSA object GUID: 8a784cb6-8b0f-4980-a0a8-8acf6593b5bb
        Last attempt @ 2010-09-21 16:40:33 failed, result 8304 (0x2070):
            The maximum size of an object has been exceeded.
        26911 consecutive failure(s).
        Last success @ 2010-09-03 13:51:27.
    mydomain\DC03 via RPC
        DSA object GUID: 99586208-7010-4a45-b287-260f64570904
        Last attempt @ 2010-09-21 16:41:10 failed, result 8304 (0x2070):
            The maximum size of an object has been exceeded.
        25176 consecutive failure(s).
        Last success @ 2010-09-03 13:51:37.



number of errors in the event log

why is this?
0
Comment
Question by:shankshank
8 Comments
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
what are the events you are seeing, is this only happening on one DC?
0
 
LVL 13

Accepted Solution

by:
rhinoceros earned 100 total points
Comment Utility
>>Last attempt @ 2010-09-21 16:40:33 failed, result 8304 (0x2070):
>> The maximum size of an object has been exceeded.

I supposed "Windows Error 0x00002070 - 8304"
The maximum size of an object has been exceeded.
ERROR_DS_MAX_OBJ_SIZE_EXCEEDED

Active Directory KB 8304
http://kb.monitorware.com/kbeventdb-detail-id-4648.html

How To Fix Error 8304 - Error Code 0x2070
http://www.wmpub.com/error8304_errorcode0x2070.php
http://www.windows-error-repair.org/error-code/8304.html
0
 
LVL 5

Author Comment

by:shankshank
Comment Utility
yeah only one DC is seeing this. it's strange.
0
 
LVL 5

Author Comment

by:shankshank
Comment Utility
yeah definitely not replicating...
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 5

Author Comment

by:shankshank
Comment Utility
Error value:
8304 The maximum size of an object has been exceeded.
0
 

Expert Comment

by:dmoecolorado
Comment Utility
Any luck with this error ?

I am also experiencing it on 3 out of 15 Domain Controllers - the three are all members in the same AD site.
0
 
LVL 5

Author Comment

by:shankshank
Comment Utility
i deleted some objects that were not replicating and that seemed to fix it..
0
 

Assisted Solution

by:dmoecolorado
dmoecolorado earned 400 total points
Comment Utility
This was quite a process to clean this issue up.

As it turned out, our issue was ultimately casued due to a third party softwares population of the "proxyaddresses" attribute of a paticular AD object.

I have included the resolution in the hopes that this may provide assistance for someone in the future.

Thank you everyone for your input.

David

--------------------------------------

It was my pleasure to assist you during your issue “AD replication error :- (8304) The maximum size of an object has been exceeded "

Here is a summary of the key points of the case for your records.


PROBLEM:       AD replication error :- (8304) The maximum size of an object has been exceeded

RESOLUTION:
1)  Initially when the case was opened we were getting errors in Repadmin /replsum as “(8304) The maximum size of an object has been exceeded” for xxxxx Site.

2) When checked the replication part we found that we were getting errors for Configuration partition replication However we had issues with Domain partition replication as well.

3) We checked and found that we were getting event ID 2042 on all the domain controllers stating that the domain controllers were in Tombstoned state.

4) We created a Registry key on all the DC’s  as “Allow replication with divergent and corrupt partner” at HKEY- Local-machine\System\CurrentControlSet\Services\NTDS\Parameters

5) We forced the replication and we found that we started getting event ID’s 1566, 1311 and 1864 for KCC events.

6) When went through the entire topology we found that we had “Hub and Spoke Topology” where “xxxxx Site” being the Hub site but that wasn’t configured properly.

7) Hence we configured the Hub and Spoke topology correctly and we deleted all the KCC connection objects from on the DC’s from Active directory sites and services.

8) We ran repadmin /KCC * to create connection objects with all the domain controllers.

9) Now when we ran Repadmin /syncall /AePd to force the replication we got the same “8304 error” for configuration partition replication.

10) We took LDIFDE dump for configuration partition from <your-domain-controller> (bad server)  in order to take that dump we ran:- ldifde –f ldifde.ldf –d “CN=Configuration,Dc=<your-domain>,dc=com”.

11) We found that an object with DN path :-  CN=Microsoft System Attendant\0ADEL:4b9b5f23-95a0-4f6c-86c6-25f0985c62b1,CN=Deleted Objects,CN=Configuration,DC=<your-domain>,DC=com had an attribute name “ProxyAddresses” had multiple instances (upto 1257 in counts) and was not getting removed as it was in Deleted objects container but “ISdeleted” flag was not stamped on the attribute.
The attribute looked like:-
proxyAddresses: RFAX:Microsoft System Attendant86588@
proxyAddresses: rfax:Microsoft System Attendant41572@
proxyAddresses: rfax:Microsoft System Attendant62092@
proxyAddresses: rfax:Microsoft System Attendant61108@
proxyAddresses: rfax:Microsoft System Attendant81626@
proxyAddresses: rfax:Microsoft System Attendant36610@
proxyAddresses: rfax:Microsoft System Attendant57130@
proxyAddresses: rfax:Microsoft System Attendant56146@
proxyAddresses: rfax:Microsoft System Attendant76664@
proxyAddresses: rfax:Microsoft System Attendant31648@
proxyAddresses: rfax:Microsoft System Attendant52168@
proxyAddresses: rfax:Microsoft System Attendant72686@
proxyAddresses: rfax:Microsoft System Attendant71702@
proxyAddresses: rfax:Microsoft System Attendant26686@
proxyAddresses: rfax:Microsoft System Attendant47206@
proxyAddresses: rfax:Microsoft System Attendant67724@
proxyAddresses: rfax:Microsoft System Attendant66742@

   
12) Hence It wasn’t getting removed. We tried changing the Isdeleted attribute for that object using LDP.exe tool but it failed with “constrained violation error” as it was deleted object container.

13)  We also found that few of the domain controllers doesn’t have the registry key named “Strict replication consistency” at HKEY-Local-machine\System\CurrentControlSet\Services\NTDS\Parameters.
Note:- “strict replication consistency” is the key that is responsible for protecting the domain controllers from replicating Lingering Objects.

14) Hence we created “strict Replication Consistency” on all the domain controllers.

15) Now when forced replication using repadmin /syncall /AePd we started getting “Event ID 1988” For lingering Objects.

16) Hence we  ran following command to get rid of lingering objects on all the domain controllers:

repadmin /removelingeringobjects <your-domain-controller> 577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com

17)  Now we were not getting “Event ID 1988” anymore and Domain partition was getting replicated across the domain.

18)  But we were still getting event ID “8304 The maximum size of an object has been exceeded” when ran repadmin /replsum.

19)  Hence we took the LDifde dump from <your-domain-controller>by running :- ldifde -f good.ldf -s <your-domain-controller> -d "CN=Configuration,DC=<your-domain>,DC=com" -r (objectclass=exchangeadminservice) -x -p subtree -l "replpropertymetadata,objectguid,repluptodate" -1

20) From the output of the above command we found that object with DN “CN=Microsoft System Attendant\0ADEL:4b9b5f23-95a0-4f6c-86c6-25f0985c62b1,CN=Deleted Objects,CN=Configuration,DC=<your-domain>,DC=com” was located in Lost and found container on <your-domain-controller> whereas when ran the same command on <your-other-domain-controller> we found that it was there in deleted object container.

21)  We went to <your-domain-controller>and we opened Adsiedit.msc and we found that object in lost and found container and we went to the properties of “CN=Microsoft System Attendant\0ADEL:4b9b5f23-95a0-4f6c-86c6-25f0985c62b1,CN=Deleted Objects,CN=Configuration,DC=<your-domain>,DC=com” and found “proxyaddresses” there.

22)  We removed all 1257 entries manually and forced replication from “<your-domain-controller>” and the information got replicated to all the Dc’s and those multiple instances got removed from all other Dc’s as well. And now when we ran repadmin /replsum we do not see any more errors.

Conclusion:- After reviewing all the logs collected from your environment we’ve found that the issue was caused by “RightFax Software” and that stamped multiple “Proxyaddresses” to that object and The reason why we cannot delete it from <your-domain-controller> is that the object is too big and isdeleted flag wasn’t stamped on that object.

Related Articles:-

¿      Windows Server 2003-based domain controllers show a decrease in performance when they process certain Active Directory objects:-  :-http://support.microsoft.com/default.aspx?scid=kb;EN-US;914036

0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now