2003 DC in 2008 R2 forest receives NTDS SDPROP event ID 2008

Discussion in 'Active Directory' started by c_hr1s, Nov 10, 2009.

  1. c_hr1s

    c_hr1s Guest

    I have started receiving the following error since I upgraded my forest to
    2008 R2 in preparation for a full domain upgrade. I receive this every half
    hour on a user object (which occurs twice) and on the DC the error occurs.
    All the googlign points to an Exchange 2003 SP1 issue but I have 2007 SP2
    installed so am baffled as to how to fix this. I have no other replication
    issues and this is only eventing on one DC.

    Internal error: The security descriptor propagation task encountered an
    error while processing the following object. The propagation of security
    descriptors may not be possible until the problem is corrected.

    Object:
    CN=user and DC,OU=,OU=,DC=domain,DC=co,DC=nz

    Additional Data
    Error value:
    -1026 JET_errRecordTooBig, Record larger than maximum size
    Internal ID:
    20903d5
     
    c_hr1s, Nov 10, 2009
    #1
    1. Advertisements

  2. Hello c_hr1s,

    Did you raise the forest functional level to windows server 2008 R2?

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Nov 10, 2009
    #2
    1. Advertisements

  3. From what I have found this deals with large numbers of ACL's applied or
    inherited on this object.

    Look at using the diagnostic tool ACLDiag.exe. The link to the tool usage
    is below, the tool iteslf should be with the support tools on the
    installation dvd.

    http://technet.microsoft.com/en-us/library/cc755388(WS.10).aspx

    Run this tool against the offending user and see if there are an inordinate
    amount of ALC's applied aginst this user.

    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson [MVP-DS], Nov 10, 2009
    #3
  4. Howdie!

    The internal ID points to the SDProp process that checks ACLs and
    permissions to user objects in Active Directory. Paul's suggestion is a
    good advice so I'd check with the security descriptor on the object and
    see whether there are too many (probably too deeply nested?) access
    control entries.

    Cheers,
    Florian
    --
    Microsoft MVP - Group Policy
    eMail: prename [at] frickelsoft [dot] net.
    blog: http://www.frickelsoft.net/blog.
    ANY advice you get on the Newsgroups should be tested thoroughly in your
    lab.
     
    Florian Frommherz [MVP], Nov 10, 2009
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.