Article ID: 907462 - View products that this article applies to.
You are running or managing applications that use information from the Active Directory directory service in Microsoft Windows Server 2003 or in Microsoft Windows 2000 Server. You may receive errors when the applications use information for linked attributes. For example, you may receive the following error:
In this case, when you dump the affected object by using the LDIFDE utility (Ldifde.exe), an attribute is listed. However, the attribute has no value.
The directory datatype cannot be converted to / from a native DS datatype.
The next line in the output has the next attribute. For a group and its managedBy attribute, the output may look similar to the following:
showInAddressBook: <Address Book object DN>
legacyExchangeDN: <X500 name>
An application can add an object link that refers to the internal root object of the Active Directory database in the following operating systems:
If you use domain controllers that are running Windows Server 2003 with Service Pack 1, the problem does not occur.
You cannot solve the problem by deleting the attribute. If you remove the attribute, the following error will be logged in the Application event log:
If this error is logged, the object is in a broken state. To achieve the original state or to delete the object, you can only run an authoritative restore on the object. To repair objects that exhibit this behavior, we recommend that you delete and rebuild the object by using the LDIFDE utility.
Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1694
Active Directory could not update the following object with an attribute value change received from the following source domain controller. This is because an error occurred during the application of the changes to Active Directory on the local domain controller.
Source domain controller:
<GUID-based DC name>
Attribute value GUID:
This operation will be tried again at the next scheduled replication. The synchronization of the local domain controller with the source domain controller is blocked until the update problem is corrected.
The replication system encountered an internal error.
Caution All back-links are removed when you delete an object.
If you have to keep certain attributes that you cannot set the value on, such as the objectSid attribute or the SidHistory attribute, delete and then undelete the object. (Windows Server 2003 Service Pack 1 retains the SidHistory attribute on when you delete an object.) When you delete and undelete an object, you do not have to run a semantic checker.
However, no tools currently exist to recover the attributes and the back-links. To restore group memberships, you can use the Groupadd.exe tool. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/840001/ )How to restore deleted user accounts and their group memberships in Active Directory
If you use the Microsoft Provisioning System, you can use the system to recover the attributes and the back-links.
Some backup and recovery applications may offer a more convenient way of removing these problematic attributes. The application must let you select attributes during a restore operation. For example, an application must let you exclude the managedBy attribute when you restore a deleted object.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Microsoft Windows Server 2003 Service Pack 1.
Article ID: 907462 - Last Review: November 1, 2006 - Revision: 1.3