Deleting Active Directory objects that have many links causes replication failures

Summary

This article discusses an issue that occurs when you delete Active Directory objects that contain many forward and backward links.

The registry key that is discussed in this article should be applied only to domain controllers (DCs) that are experiencing the issue that is described in the "Symptoms" section. This issue is likely to occur on Windows Server 2012 and Windows Server 2012 R2 DCs. By following the recommendations that are given here, you may decrease Active Directory replication performance but increase the reliability of correctly processing the deletion of such large objects.

Symptoms

When you delete Active Directory objects that contain many forward and backward links, you encounter replication failure. For example, you delete objects that contain large group membership sets, or you demote some RODC computer accounts that have many permission settings.

The following conditions are the key indicators that this solution applies to the issue:

  • The forest functional level is Windows Server 2003 or later version of Windows Server.
  • Event 2094 (replication delay) occurs several times, referencing the same deleted object.
  • Event 1083 (Write conflict) occurs around the same time the 2094 event referencing the same deleted object.
  • The affected domain controller (DC) may also report that the version store is exhausted (Event ID 623). Exhaustion of version store does not always occur in this scenario. Other factors that increase the likelihood of version store exhaustion include a high rate of changes to Active Directory objects, both local and replicated, as well as other long running operations such as deep queries.
If the Active Directory recycle bin is enabled, the replication errors may not occur for 60 to 180 days (deleted object lifetime) after the object is deleted.



Event log entries

When the issue occurs, the following events are logged:





More Information

By default, when you run multiple passes to delete Active Directory objects that have an exceptionally large number of forward and backward links, 10,000 links are deleted at a time. During this time, if other threads have to update the target objects of these links, the link deletion transaction is suspended until the objects are available again. This suspension can cause the whole deletion transaction to take a long time to finish.

During this time, users may see write conflicts and transaction failure events. Also, as additional objects are processed by replication, more and more version store is allocated because the pending large transaction does not release its allocated versions store until the deletion transaction is finished. This can cause version store errors and replication warnings events.

Notes

  • Garbage collection is not related to the processing of group membership link deletions.
  • The legacy value for Links process batch size is 1,000 in versions before Windows Server 2008 R2. In later versions, the batch size is increased to 10,000 to improve the performance of undeleting in forests that have the Recycle Bin enabled.

Active Directory services check for the following registry key.

For AD DS:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Links process batch size
For AD LDS:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<adam instance>\Parameters\Links process batch size
Type: DWORD

Min Value: 1000

Max Value: 10000

This value overrides the default value of 10,000 as the number of atomic links to process at one time. After each atomic operation, the corresponding version store is released. The version store is reacquired only during the next atomic operation that continues to process the same object.

Workaround

To work around this issue, set the value of links process batch size lower than 10,000. This decreases the potential for an object access collision to occur. By doing this, you make the replication process of large object deletion more reliable. Also, it now takes a longer time to complete the whole transaction. This helps you avoid version store depletion.
Properti

ID Artikel: 3149779 - Tinjauan Terakhir: 27 Jan 2017 - Revisi: 2

Tanggapan