Solved

Windows 2003 Event ID 1093: Active Directory could not update object

Posted on 2013-05-11
2
1,301 Views
Last Modified: 2013-05-17
Hello,
I've two DCs, both WIN2003 with SP2 and they are Global Catalog.
They are working fine, except for a warning started two months ago for a particular AD user:

USER1 is an object contained in OU=GLOBAL-USERS,OU=CAT1,OU=GROUP1
Domain is: mydomain.local

The warning that appears (but only on SERVER1, first DC) is the following:

Event Type:      Warning
Event Source:      NTDS Replication
Event Category:      Replication
Event ID:      1093
Date:            5/11/2013
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      SERVER1
Description:
Active Directory could not update the following object with attribute changes because the incoming change
caused the object to exceed the maximum object record size.
The incoming change to the following attribute will be reversed in an attempt to complete the update.
 
Object:
CN=USER1,OU=GROUP1,OU=CAT1,OU=GLOBAL-USERS,DC=mydomain,DC=local
Object GUID:
<GUID>
Attribute:
903b4 (mSMQDigests)
 
The current value (without changes) of the attribute on this domain controller will replicate to all other domain controllers.
This will counteract the change to the rest of the replicated forest. The reversal values may be recognized as follows:
Version:
1023
Time of change:
<datetime>
Update sequence number:
92233311

This happens at least one time per day.

At the same time it is followed by Event ID 1101 which shows:

Active Directory updated the following object with attribute changes after reversing one or more of the failed attribute changes.

I havent any other issues on Directory Services event viewer, nor any problem on AD replication or KCC.

My concerns are:

1. is the user object going to fails something in authentication ?
2. do I need to perform some low level maintenance for this object ?

All user objects inside OU=GLOBAL-USERS are not affected.

Any feedback is really appreciated. Thanks.
0
Comment
Question by:pablito70
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 500 total points
ID: 39159924
It's only the single user object, right?
Does that user have an unusually large number of groups (or nested groups)?  I don't think you'd get THIS message... I think it's a warning about token size if the problem relates to excessive group membership.
Have you looked at that user with ADSIEdit yet?  It might be worth at least looking at this user object to see if anything leaps out at you.... whether someone has attached a lot of data to a particular field, etc.
0
 
LVL 2

Author Comment

by:pablito70
ID: 39161659
Yes only this user is affected.
There is no excessive member groups; it has same membership of similar other users.

I will look inside to ADSIedit.

Thanks
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question