?
Solved

Windows 2003 Event ID 1093: Active Directory could not update object

Posted on 2013-05-11
2
Medium Priority
?
1,336 Views
Last Modified: 2013-05-17
Hello,
I've two DCs, both WIN2003 with SP2 and they are Global Catalog.
They are working fine, except for a warning started two months ago for a particular AD user:

USER1 is an object contained in OU=GLOBAL-USERS,OU=CAT1,OU=GROUP1
Domain is: mydomain.local

The warning that appears (but only on SERVER1, first DC) is the following:

Event Type:      Warning
Event Source:      NTDS Replication
Event Category:      Replication
Event ID:      1093
Date:            5/11/2013
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      SERVER1
Description:
Active Directory could not update the following object with attribute changes because the incoming change
caused the object to exceed the maximum object record size.
The incoming change to the following attribute will be reversed in an attempt to complete the update.
 
Object:
CN=USER1,OU=GROUP1,OU=CAT1,OU=GLOBAL-USERS,DC=mydomain,DC=local
Object GUID:
<GUID>
Attribute:
903b4 (mSMQDigests)
 
The current value (without changes) of the attribute on this domain controller will replicate to all other domain controllers.
This will counteract the change to the rest of the replicated forest. The reversal values may be recognized as follows:
Version:
1023
Time of change:
<datetime>
Update sequence number:
92233311

This happens at least one time per day.

At the same time it is followed by Event ID 1101 which shows:

Active Directory updated the following object with attribute changes after reversing one or more of the failed attribute changes.

I havent any other issues on Directory Services event viewer, nor any problem on AD replication or KCC.

My concerns are:

1. is the user object going to fails something in authentication ?
2. do I need to perform some low level maintenance for this object ?

All user objects inside OU=GLOBAL-USERS are not affected.

Any feedback is really appreciated. Thanks.
0
Comment
Question by:pablito70
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 2000 total points
ID: 39159924
It's only the single user object, right?
Does that user have an unusually large number of groups (or nested groups)?  I don't think you'd get THIS message... I think it's a warning about token size if the problem relates to excessive group membership.
Have you looked at that user with ADSIEdit yet?  It might be worth at least looking at this user object to see if anything leaps out at you.... whether someone has attached a lot of data to a particular field, etc.
0
 
LVL 2

Author Comment

by:pablito70
ID: 39161659
Yes only this user is affected.
There is no excessive member groups; it has same membership of similar other users.

I will look inside to ADSIedit.

Thanks
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question