Solved

Windows 2003 Event ID 1093: Active Directory could not update object

Posted on 2013-05-11
2
1,316 Views
Last Modified: 2013-05-17
Hello,
I've two DCs, both WIN2003 with SP2 and they are Global Catalog.
They are working fine, except for a warning started two months ago for a particular AD user:

USER1 is an object contained in OU=GLOBAL-USERS,OU=CAT1,OU=GROUP1
Domain is: mydomain.local

The warning that appears (but only on SERVER1, first DC) is the following:

Event Type:      Warning
Event Source:      NTDS Replication
Event Category:      Replication
Event ID:      1093
Date:            5/11/2013
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      SERVER1
Description:
Active Directory could not update the following object with attribute changes because the incoming change
caused the object to exceed the maximum object record size.
The incoming change to the following attribute will be reversed in an attempt to complete the update.
 
Object:
CN=USER1,OU=GROUP1,OU=CAT1,OU=GLOBAL-USERS,DC=mydomain,DC=local
Object GUID:
<GUID>
Attribute:
903b4 (mSMQDigests)
 
The current value (without changes) of the attribute on this domain controller will replicate to all other domain controllers.
This will counteract the change to the rest of the replicated forest. The reversal values may be recognized as follows:
Version:
1023
Time of change:
<datetime>
Update sequence number:
92233311

This happens at least one time per day.

At the same time it is followed by Event ID 1101 which shows:

Active Directory updated the following object with attribute changes after reversing one or more of the failed attribute changes.

I havent any other issues on Directory Services event viewer, nor any problem on AD replication or KCC.

My concerns are:

1. is the user object going to fails something in authentication ?
2. do I need to perform some low level maintenance for this object ?

All user objects inside OU=GLOBAL-USERS are not affected.

Any feedback is really appreciated. Thanks.
0
Comment
Question by:pablito70
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 500 total points
ID: 39159924
It's only the single user object, right?
Does that user have an unusually large number of groups (or nested groups)?  I don't think you'd get THIS message... I think it's a warning about token size if the problem relates to excessive group membership.
Have you looked at that user with ADSIEdit yet?  It might be worth at least looking at this user object to see if anything leaps out at you.... whether someone has attached a lot of data to a particular field, etc.
0
 
LVL 2

Author Comment

by:pablito70
ID: 39161659
Yes only this user is affected.
There is no excessive member groups; it has same membership of similar other users.

I will look inside to ADSIedit.

Thanks
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question