You are running or managing applications that use information from the Active Directory directory service in Microsoft Windows Server 2003 or in Microsoft Windows 2000 Server. You may receive errors when the applications use information for linked attributes. For example, you may receive the following error:
The directory datatype cannot be converted to / from a native DS datatype.
In this case, when you dump the affected object by using the LDIFDE utility (Ldifde.exe), an attribute is listed. However, the attribute has no value.
The next line in the output has the next attribute. For a group and its managedBy attribute, the output may look similar to the following:
An application can add an object link that refers to the internal root object of the Active Directory database in the following operating systems:
Windows Server 2003 without Service Pack 1
Windows 2000 Server
Windows 2000 Server with all service packs
This object does not have a name or any other properties that are usable for applications. Therefore, the client applications display error messages that do not indicate the cause of a problem.
If you use domain controllers that are running Windows Server 2003 with Service Pack 1, the problem does not occur.
You cannot solve the problem by deleting the attribute. If you remove the attribute, the following error will be logged in the Application event log:
Event Type: Error Event Source: NTDS Replication Event Category: Replication Event ID: 1694 Description: Active Directory could not update the following object with an attribute value change received from the following source domain controller. This is because an error occurred during the application of the changes to Active Directory on the local domain controller.
This operation will be tried again at the next scheduled replication. The synchronization of the local domain controller with the source domain controller is blocked until the update problem is corrected.
Additional Data Error value: The replication system encountered an internal error.
If this error is logged, the object is in a broken state. To achieve the original state or to delete the object, you can only run an authoritative restore on the object. To repair objects that exhibit this behavior, we recommend that you delete and rebuild the object by using the LDIFDE utility.
Caution All back-links are removed when you delete an object.
If you have to keep certain attributes that you cannot set the value on, such as the objectSid attribute or the SidHistory attribute, delete and then undelete the object. (Windows Server 2003 Service Pack 1 retains the SidHistory attribute on when you delete an object.) When you delete and undelete an object, you do not have to run a semantic checker.
However, no tools currently exist to recover the attributes and the back-links. To restore group memberships, you can use the Groupadd.exe tool.For more information, click the following article number to view the article in the Microsoft Knowledge Base:
840001 How to restore deleted user accounts and their group memberships in Active Directory
If you use the Microsoft Provisioning System, you can use the system to recover the attributes and the back-links.
Some backup and recovery applications may offer a more convenient way of removing these problematic attributes. The application must let you select attributes during a restore operation. For example, an application must let you exclude the managedBy attribute when you restore a deleted object.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Microsoft Windows Server 2003 Service Pack 1.