NTDS replication warning with Event ID 1093
This article provides a solution to an NTDS warning event ID 1093.
Applies to: Windows Server 2012 R2
Original KB number: 2889671
Symptoms
When troubleshooting another issue, we found NTDS warning event ID 1093.
Event Type: Warning
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1093
Date: MM/DD/YYYY
Time: hh:mm:ss
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC02
Description:
Active Directory could not update the following object with attribute changes because the incoming change caused the object to exceed the maximum object record size. The incoming change to the following attribute will be reversed in an attempt to complete the update.Object:
CN=user01,OU=OU1,OU=OU2,OU=Users,DC=contoso,DC=com
Object GUID:
<GUID>
Attribute:
24 (userCertificate)The current value (without changes) of the attribute on this domain controller will replicate to all other domain controllers. This will counteract the change to the rest of the replicated forest. The reversal values may be recognized as follows:
Version:
10277
Time of change:
<DateTime>
Update sequence number:
614514713
For more information, see Help and Support Center athttps://go.microsoft.com/fwlink/events.asp
.
This warning event ID 1093 indicates that the incoming change will not be replicated on the current domain controller and it will be reversed. That is, the incoming updates on the related object will be aborted to complete the AD replication. This warning will not influence the AD replication.
Cause
The userCertificate attribute of the identified user (user01) holds a large number of certificates, which is exceeding the maximum object record size.
Resolution
To solve the issue, the unwanted certificates need to be removed from userCertificate attribute of the user object in Active Directory.
To identify which certificates are unwanted, you can refer to the method in the following section.
More information
You may use this method to export the user data of the user object who reach the maximum object size. Then identify the related certificates by the scripts and decide which unwanted certificates can be deleted from this user object.
Export the user data by running the command on one of the domain controllers: (output user_data.txt)
ldifde -f user_data.txt -d "distinguishedname of the problem user account" -p base
Prepare the script LDF2Certs.vbs with following contents:
Option explicit Const strVBSfile = "LDF2Certs.vbs" Const ForReading = 1 Const StatusLookingForStart = 0 Const StatusLookingForEnd = 1 Dim strLDFFile Call CommandParser() WScript.Echo "!Open the input LDF file " & strLDFFile Dim oFS Set oFS = CreateObject("Scripting.FileSystemObject") Dim objLDFFile Set objLDFFile = oFS.OpenTextFile(strLDFFile, ForReading, False) Dim strReadLine, lngStatus, objCertFile, lngCertNumber, strCertFile lngStatus = StatusLookingForStart lngCertNumber = 0 Do While objLDFFile.AtEndOfStream <> True strReadLine = objLDFFile.ReadLine If lngStatus = StatusLookingForEnd Then If Not IsNull(strReadLine) Then If InStr(strReadLine,":") > 0 Then objCertFile.Close Set objCertFile = Nothing lngCertNumber = lngCertNumber + 1 lngStatus = StatusLookingForStart Else objCertFile.Write strReadLine End If End If End If If lngStatus = StatusLookingForStart Then If Not IsNull(strReadLine) Then If InStr(strReadLine,"userCertificate::") > 0 Then WScript.Echo "!Found " & (lngCertNumber + 1) & " certificate" strCertFile = "Cert" & Right("0000" & CStr(lngCertNumber), 4) & ".cer" Set objCertFile = oFS.CreateTextFile(strCertFile, True, False) lngStatus = StatusLookingForEnd End If End If End If Loop objLDFFile.Close Set objLDFFile = Nothing Dim WshShell Set WshShell = WScript.CreateObject("WScript.Shell") Sub CommandParser()'Glable variables: strLDFFile If WScript.Arguments.Named.Exists("LDFFile") = True Then strLDFFile = WScript.Arguments.Named.Item("LDFFile") WScript.Echo "CommandParser: the LDF file name: " & strLDFFile Else Call ShowUsage() End If End Sub Sub ShowUsage() WScript.Echo " " WScript.Echo "Usage: CScript " & strVBSfile & " /LDFFile:<Input LDF file name, such as input.txt>" WScript.Quit End Sub
Prepare the script doit.bat with following commands:
cscript LDF2Certs.vbs /LDFFile:user_data.txt dir /B Cert*.* > listofcerts.txt FOR /F %%i IN (listofcerts.txt) DO echo %%i >> allcerts.txt && certutil -dump %%i >> allcerts.txt
Put two scripts (LDF2Certs.vbs and doit.bat) and the user data (user_data.txt) in the same folder and run script doit.bat. After running the script, text file allcerts.txt will be generated, which contains all the certificates in the user data with detailed information. Meanwhile, all the certificates will be dumped as .cer files in the same folder as well.
Note
It may take some time as there are lots of certificates need to be dumped.
You can identify the certificates with their text or UI format and decide with certificates can be removed from this user object.
Data collection
If you need assistance from Microsoft support, we recommend you collect the information by following the steps mentioned in Gather information by using TSS for Active Directory replication issues.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for