When inbound replication of the Active Directory directory
service occurs, a destination domain controller that is running Microsoft
Windows 2000 Server or Microsoft Windows Server 2003 may log the following
event:
Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1084
Description:
Internal event: Active Directory could not update the following object with changes received
from the following source domain controller. This is because an error occurred during the
application of the changes to Active Directory on the domain controller.
Object: distinguished_name_path_of_object_that_failed_to_write_to_local_database
Object GUID: 32_character_alpha-numeric_object_GUID
Source domain controller:object_GUID_for_source_domain_controller's_NTDSDSA_object._msdcs.forest root domain
Synchronization of the local domain controller with the source domain controller is blocked until this update problem is corrected.
This operation will be tried again at the next scheduled replication.
User Action
Restart the local domain controller if this condition appears to be related to low system resources (for example, low physical or virtual memory).
Additional Data
Error value:
8409 A database error has occurred.
Destination domain controllers that are running Windows
Server 2003 Service Pack 1 (SP1) may also log the following event:
Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 2108
Description:
This event contains REPAIR PROCEDURES for the 1084 event which has previously been logged. This message indicates a specific issue with the consistency of the Active Directory database on this replication destination. A database error occurred while applying replicated changes to the following object. The database had unexpected contents, preventing the change from being made.
Object:distinguished_name_path_of_object_that_failed_to_write_to_local_database Object GUID:
32_character_alpha-numeric_object_GUID
Source domain controller:
object_GUID_for_source_domain_controller's_NTDSDSA_object >._msdcs.<forest_root_domain
To resolve this problem, follow these steps. Retry the
replication operation after each step that makes a change.
Make sure that sufficient free disk space is available on
the volumes that host the Active Directory database, and then retry the
operation. Follow these steps to free additional disk space:
Move unrelated files to another volume.
Perform a system state backup. This process reduces the
size of the transaction log files. For more information, click the following article
numbers to view the articles in the Microsoft Knowledge Base:
How to use the backup feature to back up and restore data in Windows Server 2003
Perform an offline defragmentation of Active
Directory. For more information, click the
following article number to view the article in the Microsoft Knowledge Base:
Performing offline defragmentation of the Active Directory database
Make sure that the physical drives that host the Ntds.dit
file and the transaction log files do not have NTFS file system compression
turned on. To confirm this, right-click the drive letter in My Computer, and
then make sure that the Compress drive to save disk space
check box is not selected.
Make sure that the physical drives that host the Ntds.dit
file and the transaction log files are specifically excluded from remote and
local antivirus programs. See your antivirus software documentation for more
information.
If the destination domain controller contains the global
catalog, and the error occurs in one of the read-only partitions, use one of
the following methods to help resolve the problem:
Method 1
Use the rehost option of the Repadmin.exe tool to rehost the
affected partition. The Repadmin.exe tool is included with Windows Server 2003
SP1. To do this, type the following at a command prompt, where
domain_controller is the name of the destination
domain controller, and
good_source_domain_controller_name is the name of
another domain controller:
To configure the domain controller so that it is no longer a
global catalog server, follow these steps:
Click Start, point to
Administrative Tools, and then click Active Directory
Sites and Services.
Locate the
Default-First-Site-Name\Servers\domain_controller_name\NTDS
Settings subtree.
Right-click NTDS Settings, and then
click Properties.
Click to clear the Global Catalog
check box. Click OK.
Method 3
If the error occurs in a program partition, use the Ntdsutil.exe
tool to change the replica that hosts the program partition. For more
information about Active Directory Directory Services Maintenance Utility
(Ntdsutil.exe), visit the following Microsoft Web site:
Use a third-party utility, such as the FileMon utility, to
determine if a program or a user is accessing the Active Directory database,
the transaction log files, or the Edp.tmp file. If file access activity exists,
stop the services that are responsible for the activity. For more information
about the FileMon utility, visit the following Sysinternals Web site:
Determine if the problem is related to the parent of the
Active Directory object on the destination domain controller. To do this,
follow these steps:
On the source domain controller, temporarily move the
object that is referenced in Event ID 1084 to an organizational unit (OU)
container. The OU must be unrelated to the current container. For example, move
the object to a new container off the root of the domain.
If replication is completed after you move the object,
move the object back to its original container.
Force the security descriptor propagator to rebuild the
object container ancestry in the database that exists on both the source and
destination domain controllers. To do this, follow these steps:
Make sure that the Windows Server 2003 Support
Tools are installed. The Support Tools are available on the Windows Server 2003
CD-ROM in the Support\Tools folder. Double-click the Suptools.msi file to
install the tools.
Click Start, click
Run, type ldp, and then click
OK.
Click Connection, click
Connect, and then type the name of the server that you want to
connect to. You will connect over port 389 for Active Directory.
Click Connection, click
Bind, and then type your administrative user name, password,
and domain. (You must use domain administrator or enterprise administrator
credentials.) Click OK.
On the Browse menu, click
Modify. Leave the DN text box blank. In the
Attribute text box, type
FixUpInheritance. Click Yes in the
Value text box.
In the Operation area, click
Add.
Click Enter to populate the
Entry List area. [Add]fixupinheritance:yes
appears in the Entry List area.
Click Run. The right pane shows a
"Modified" status, and the security descriptor propagator starts. The runtime
for the security descriptor propagator depends on the size of the Active
Directory database. The process is complete when the DS Security
Propagation Events counter in the NTDS Performance object returns to
zero.
Click Close, click
Connection, and then click Exit.
For more information,
click the following article number to view the article in the Microsoft
Knowledge Base:
Manually initializing the SD propagator thread to evaluate inherited permissions for objects in Active Directory
On the source domain controller, type repadmin
/showmeta distinguished_name_path at a
command prompt, and then view the object metadata for the distinguished name
path that is referenced in Event ID 1084. Repeat this step on the destination
domain controller. Look for inconsistent values that include, but are not
limited to, the following:
Incorrect names and numbers of attributes that appear
on the object
Incorrect originating time or date stamps
Incorrect local update sequence numbers
(USN)
Incorrect values may indicate a problem with the database
page that hosts the object.
To use the Repadmin.exe tool when the
distinguished name path refers to a live object, type the following at a
command prompt:
If the object is in a deleted objects container or if you cannot
use the Repadmin.exe tool to find the object, use the object's GUID reference
to find the object. This GUID is referenced in Event ID 1084. To do this, type
the following at a command prompt:
Obtain the most recent Ntdsutil.exe tool by installing the
latest service pack for your operating system. Use the Ntdsutil.exe tool to
perform an integrity check of the Active Directory database on the source
domain controller.
Before you start the computer in Directory Services
Restore Mode, obtain the password for the offline administrator account. If you
do not know the administrator account password, reset the Directory Services
Restore Mode password before you start in this mode. On domain controllers that
are running Windows 2000 Service Pack 2 (SP2) and later, use the Setpwd.exe command. The Setpwd.exe command is located in the %Systemroot%\System32 folder. On
Windows Server 2003-based domain controllers, use the Ntdsutil Set Directory Services Restore Mode Password command. For more information about Directory Services Restore
Mode, click the following article number to view the article in the Microsoft
Knowledge Base:
"Directory Services cannot start" error message when you start your Windows-based or SBS-based domain controller
For more information
about how to change the password in Windows 2000 Server, click the following
article number to view the article in the Microsoft Knowledge Base:
How to change the Recovery Console administrator password on a domain controller
For more information about how to change the password in
Windows Server 2003, click the following article number to view the article in
the Microsoft Knowledge Base:
How to reset the Directory Services Restore Mode administrator account password in Windows Server 2003
Restart the source domain controller, and then press F8 to
start Directory Services Restore Mode. At the command prompt, type
ntdsutil files integrity, and then press ENTER. This
command confirms the integrity of the database.
If the Ntdsutil tool reports that the database is
corrupted, and you have replicas of the naming contexts on the source domain
controller, force a demotion of the source domain controller, and then
re-promote it after you verify the integrity of the drivers, the firmware, and
the physical drives that host the Active Directory database and the transaction
log files.
If the database is corrupted, and no replicas of the
naming context on the source domain controller exist, restore the newest system
state. Use the NTDSutil.exe tool to confirm the integrity of the database
again. If you still receive a corruption message, restore older backups until
you can confirm the integrity of the domain controller.
If the database is still corrupted, restore the most
recent system state backup, and then, at a command prompt, type:
ntdsutil files recover
Use the NTDSutil.exe tool confirm the integrity of the database
again. If the database passes the integrity check, perform an offline
defragmentation of the disk partition.
For more information, click the
following article number to view the article in the Microsoft Knowledge Base:
Performing offline defragmentation of the Active Directory Database
To perform an integrity check of the database, type
the following at a command prompt, and then press ENTER, where
database_name is the name of the Active Directory
database:
esentutl.exe /g database_name
Finally, use the Start Windows Normally option to restart the
computer, and then retry replication from the source domain controller to the
affected destination domain controller. If the database fails the integrity
check, the domain controller must be discontinued. You use the Active Directory
Migration Tool (ADMT) to migrate objects. You can also use the Ldifde.exe and
Csvde.exe tools to export objects that you will import to a new destination
domain controller. For more information about how
to use the ADMT, click the following article numbers to view the articles in
the Microsoft Knowledge Base:
How to use Active Directory Migration Tool Version 2 to migrate from Windows 2000 to Windows Server 2003
For more information about
how to use the Ldifde.exe and Csvde.exe tools, click the following article
numbers to view the articles in the Microsoft Knowledge Base:
The new command-line tools for Active Directory in Windows Server 2003
If these steps do not succeed, and the replication error
continues, demote the domain controller, confirm the integrity of the physical
drives and the volumes that host the Ntds.dit file and the disk subsystem, and
then promote the domain controller again. Use the same computer
name.
Use the ntdsutil files compact command to perform an offline defragmentation of the Active
Directory database. For more information, click the following article number
to view the article in the Microsoft Knowledge Base:
Performing offline defragmentation of the Active Directory Database
At the command prompt, type ntdsutil "semantic
database analysis" "go", and then press ENTER.
Note The quotation marks in this example are required to run the
semantic database analysis command by using a single command line argument.
If errors are reported, type ntdsutil go
fixup, and then press ENTER.
Note The semantic database commands do not perform lossy repairs on
Active Directory databases like the pre-Windows Server 2003 Service Pack 1 Ntdsutil File Repair or Esentutl /p commands.
Microsoft
provides third-party contact information to help you find technical support.
This contact information may change without notice. Microsoft does not
guarantee the accuracy of this third-party contact information.
Back to the top
