This may be the expected behavior when the value is long. But the next line in the output has the next attribute. For a group and its managedBy attribute, the output may resemble the following:
showInAddressBook: <Address Book object DN>
legacyExchangeDN: <X500 name>
In a database dump with the RootDSE command verb dumpdatabase, the affected groups will be shown as follows:
objectclass: 655368, 65536
DNT Base BDNT DelTime DeactiveTime USNChanged NCDNT Data 38661 1 38662 - - 55247898 1790 -
38661 36 2 - - - - -
The link attribute ID is always 36, and the link partner is always 2.
For information about how to dump the database, see How to Use the Online Dbdump feature of Active Directory.
- Windows 2000 Server with all service packs
- Windows Server 2003 without Service Pack 1
38661 36 2 - - - - -
Windows Server 2003:
You cannot resolve the problem by deleting the attribute. If you delete the attribute, the following error is logged in the Application Directory Services log:
Event Source:NTDS Replication
Active Directory could not update the following object with an attribute value change received from the following source domain controller. This is because an error occurred during the application of the changes to Active Directory on the local domain controller.
Source domain controller:
<GUID-based DC name>
Attribute value GUID:
This operation will be tried again at the next scheduled replication. The synchronization of the local domain controller with the source domain controller is blocked until the update problem is corrected.
The replication system encountered an internal error.
Caution All back-links are removed when you delete an object.
If you have to keep certain attributes that you cannot set the value on, such as the objectSid attribute or the SidHistory attribute, delete and then undelete the object. (Windows Server 2003 Service Pack 1 retains the SidHistory attribute on when you delete an object.) When you delete and undelete an object, you do not have to run a semantic checker.
However, no tools currently exist to recover the attributes and the back-links. To restore group memberships, you can use the Groupadd.exe tool. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
If you use the Microsoft Provisioning System, you can use the system to recover the attributes and the back-links.
Some backup and recovery applications may offer a more convenient way of removing these problematic attributes. The application must let you select attributes during a restore operation. For example, an application must let you exclude the managedBy attribute when you restore a deleted object.
Article ID: 907462 - Last Review: Mar 31, 2017 - Revision: 21