Solved

Windows 2003 replication error

Posted on 2010-09-21
8
1,839 Views
Last Modified: 2012-05-10
I am seeing errors with one particular domain controller (win2003)

DC=mydomain,DC=com
    yah\DC00 via RPC
        DSA object GUID: 8a784cb6-8b0f-4980-a0a8-8acf6593b5bb
        Last attempt @ 2010-09-21 16:40:33 failed, result 8304 (0x2070):
            The maximum size of an object has been exceeded.
        26911 consecutive failure(s).
        Last success @ 2010-09-03 13:51:27.
    mydomain\DC03 via RPC
        DSA object GUID: 99586208-7010-4a45-b287-260f64570904
        Last attempt @ 2010-09-21 16:41:10 failed, result 8304 (0x2070):
            The maximum size of an object has been exceeded.
        25176 consecutive failure(s).
        Last success @ 2010-09-03 13:51:37.



number of errors in the event log

why is this?
0
Comment
Question by:shankshank
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33730482
what are the events you are seeing, is this only happening on one DC?
0
 
LVL 13

Accepted Solution

by:
rhinoceros earned 100 total points
ID: 33731165
>>Last attempt @ 2010-09-21 16:40:33 failed, result 8304 (0x2070):
>> The maximum size of an object has been exceeded.

I supposed "Windows Error 0x00002070 - 8304"
The maximum size of an object has been exceeded.
ERROR_DS_MAX_OBJ_SIZE_EXCEEDED

Active Directory KB 8304
http://kb.monitorware.com/kbeventdb-detail-id-4648.html

How To Fix Error 8304 - Error Code 0x2070
http://www.wmpub.com/error8304_errorcode0x2070.php
http://www.windows-error-repair.org/error-code/8304.html
0
 
LVL 5

Author Comment

by:shankshank
ID: 33737873
yeah only one DC is seeing this. it's strange.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 5

Author Comment

by:shankshank
ID: 33773642
yeah definitely not replicating...
0
 
LVL 5

Author Comment

by:shankshank
ID: 33773663
Error value:
8304 The maximum size of an object has been exceeded.
0
 

Expert Comment

by:dmoecolorado
ID: 34062275
Any luck with this error ?

I am also experiencing it on 3 out of 15 Domain Controllers - the three are all members in the same AD site.
0
 
LVL 5

Author Comment

by:shankshank
ID: 34167621
i deleted some objects that were not replicating and that seemed to fix it..
0
 

Assisted Solution

by:dmoecolorado
dmoecolorado earned 400 total points
ID: 34483600
This was quite a process to clean this issue up.

As it turned out, our issue was ultimately casued due to a third party softwares population of the "proxyaddresses" attribute of a paticular AD object.

I have included the resolution in the hopes that this may provide assistance for someone in the future.

Thank you everyone for your input.

David

--------------------------------------

It was my pleasure to assist you during your issue “AD replication error :- (8304) The maximum size of an object has been exceeded "

Here is a summary of the key points of the case for your records.


PROBLEM:       AD replication error :- (8304) The maximum size of an object has been exceeded

RESOLUTION:
1)  Initially when the case was opened we were getting errors in Repadmin /replsum as “(8304) The maximum size of an object has been exceeded” for xxxxx Site.

2) When checked the replication part we found that we were getting errors for Configuration partition replication However we had issues with Domain partition replication as well.

3) We checked and found that we were getting event ID 2042 on all the domain controllers stating that the domain controllers were in Tombstoned state.

4) We created a Registry key on all the DC’s  as “Allow replication with divergent and corrupt partner” at HKEY- Local-machine\System\CurrentControlSet\Services\NTDS\Parameters

5) We forced the replication and we found that we started getting event ID’s 1566, 1311 and 1864 for KCC events.

6) When went through the entire topology we found that we had “Hub and Spoke Topology” where “xxxxx Site” being the Hub site but that wasn’t configured properly.

7) Hence we configured the Hub and Spoke topology correctly and we deleted all the KCC connection objects from on the DC’s from Active directory sites and services.

8) We ran repadmin /KCC * to create connection objects with all the domain controllers.

9) Now when we ran Repadmin /syncall /AePd to force the replication we got the same “8304 error” for configuration partition replication.

10) We took LDIFDE dump for configuration partition from <your-domain-controller> (bad server)  in order to take that dump we ran:- ldifde –f ldifde.ldf –d “CN=Configuration,Dc=<your-domain>,dc=com”.

11) We found that an object with DN path :-  CN=Microsoft System Attendant\0ADEL:4b9b5f23-95a0-4f6c-86c6-25f0985c62b1,CN=Deleted Objects,CN=Configuration,DC=<your-domain>,DC=com had an attribute name “ProxyAddresses” had multiple instances (upto 1257 in counts) and was not getting removed as it was in Deleted objects container but “ISdeleted” flag was not stamped on the attribute.
The attribute looked like:-
proxyAddresses: RFAX:Microsoft System Attendant86588@
proxyAddresses: rfax:Microsoft System Attendant41572@
proxyAddresses: rfax:Microsoft System Attendant62092@
proxyAddresses: rfax:Microsoft System Attendant61108@
proxyAddresses: rfax:Microsoft System Attendant81626@
proxyAddresses: rfax:Microsoft System Attendant36610@
proxyAddresses: rfax:Microsoft System Attendant57130@
proxyAddresses: rfax:Microsoft System Attendant56146@
proxyAddresses: rfax:Microsoft System Attendant76664@
proxyAddresses: rfax:Microsoft System Attendant31648@
proxyAddresses: rfax:Microsoft System Attendant52168@
proxyAddresses: rfax:Microsoft System Attendant72686@
proxyAddresses: rfax:Microsoft System Attendant71702@
proxyAddresses: rfax:Microsoft System Attendant26686@
proxyAddresses: rfax:Microsoft System Attendant47206@
proxyAddresses: rfax:Microsoft System Attendant67724@
proxyAddresses: rfax:Microsoft System Attendant66742@

   
12) Hence It wasn’t getting removed. We tried changing the Isdeleted attribute for that object using LDP.exe tool but it failed with “constrained violation error” as it was deleted object container.

13)  We also found that few of the domain controllers doesn’t have the registry key named “Strict replication consistency” at HKEY-Local-machine\System\CurrentControlSet\Services\NTDS\Parameters.
Note:- “strict replication consistency” is the key that is responsible for protecting the domain controllers from replicating Lingering Objects.

14) Hence we created “strict Replication Consistency” on all the domain controllers.

15) Now when forced replication using repadmin /syncall /AePd we started getting “Event ID 1988” For lingering Objects.

16) Hence we  ran following command to get rid of lingering objects on all the domain controllers:

repadmin /removelingeringobjects <your-domain-controller> 577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com
repadmin /removelingeringobjects <your-domain-controller>577cb7ed-58e2-48b7-aab9-3ced1387657a CN=Configuration,DC=<your-domain>,DC=com

17)  Now we were not getting “Event ID 1988” anymore and Domain partition was getting replicated across the domain.

18)  But we were still getting event ID “8304 The maximum size of an object has been exceeded” when ran repadmin /replsum.

19)  Hence we took the LDifde dump from <your-domain-controller>by running :- ldifde -f good.ldf -s <your-domain-controller> -d "CN=Configuration,DC=<your-domain>,DC=com" -r (objectclass=exchangeadminservice) -x -p subtree -l "replpropertymetadata,objectguid,repluptodate" -1

20) From the output of the above command we found that object with DN “CN=Microsoft System Attendant\0ADEL:4b9b5f23-95a0-4f6c-86c6-25f0985c62b1,CN=Deleted Objects,CN=Configuration,DC=<your-domain>,DC=com” was located in Lost and found container on <your-domain-controller> whereas when ran the same command on <your-other-domain-controller> we found that it was there in deleted object container.

21)  We went to <your-domain-controller>and we opened Adsiedit.msc and we found that object in lost and found container and we went to the properties of “CN=Microsoft System Attendant\0ADEL:4b9b5f23-95a0-4f6c-86c6-25f0985c62b1,CN=Deleted Objects,CN=Configuration,DC=<your-domain>,DC=com” and found “proxyaddresses” there.

22)  We removed all 1257 entries manually and forced replication from “<your-domain-controller>” and the information got replicated to all the Dc’s and those multiple instances got removed from all other Dc’s as well. And now when we ran repadmin /replsum we do not see any more errors.

Conclusion:- After reviewing all the logs collected from your environment we’ve found that the issue was caused by “RightFax Software” and that stamped multiple “Proxyaddresses” to that object and The reason why we cannot delete it from <your-domain-controller> is that the object is too big and isdeleted flag wasn’t stamped on that object.

Related Articles:-

¿      Windows Server 2003-based domain controllers show a decrease in performance when they process certain Active Directory objects:-  :-http://support.microsoft.com/default.aspx?scid=kb;EN-US;914036

0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question