locked
Event ID 1083 on 2 DC's for multiple users RRS feed

  • Question

  • Hi,

    I've got a single domain forest which consists for 6 sites with 2 DC's in each site. In one of our sites both DC's are showing event id 1083 and 1955 for multiple users. DCDIAG does not show any related errors and I've also checked for duplicate entries. Any ideas?

    Thursday, May 5, 2011 11:41 AM

All replies

  • Could you post the full error.  Are there any other messages that go with this?

    repadmin /showmeta object distinguished name
    http://support.microsoft.com/kb/296714  (Outlined in this article)

    EventId
    http://www.eventid.net/display.asp?eventid=1083&eventno=919&source=NTDS Replication&phase=1

    RepAdmin
    http://support.microsoft.com/kb/229896

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This
    posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, May 5, 2011 11:52 AM
  • Just to add, the domain is Win2k8
    Thursday, May 5, 2011 11:54 AM
  • It can't be at DFL 2008 if you have Windows 2003 DC's.  The lowest o/s DC within a domain determines the highest a DFL can be set.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This
    posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, May 5, 2011 12:43 PM
  • It sounds to me replication issue. I would request you to post the relevant & complete error message asked by Paul.

    You can check replication using repadmin /replsummary

    NTDS Event ID 1083 : A duplicate object is present in the Active Directory of the replication partner of the local domain controller, so updating it is impossible. Take a look at below link for some troubleshooting steps.

    http://technet.microsoft.com/en-us/library/bb727057.aspx

     

    Regards


    Awinish Vishwakarma| MY Blog

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Thursday, May 5, 2011 12:56 PM
  • Here's the error

    Log Name:      Directory Service
    Source:        Microsoft-Windows-ActiveDirectory_DomainService
    Date:          5/2/2011 12:30:36 AM
    Event ID:      1083
    Task Category: Replication
    Level:         Warning
    Keywords:      Classic
    User:          ANONYMOUS LOGON
    Computer:      mydomain.com

    Description:
    Active Directory Domain Services could not update the following object with changes received from the directory service at the following network address because Active Directory Domain Services was busy processing information.
     
    Object:
    CN=user name ,OU=Users,OU=OU,OU=OU,OU=Customers,OU=AMR,DC=mydomain,DC=com
    Network address:
    3e367e43-e611-4d78-9e6e-57c87ee6064d._msdcs.mydomain.com
     
    This operation will be tried again later.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS Replication" />
        <EventID Qualifiers="32768">1083</EventID>
        <Version>0</Version>
        <Level>3</Level>
        <Task>5</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8080000000000000</Keywords>
        <TimeCreated SystemTime="2011-05-02T07:30:36.157389100Z" />
        <EventRecordID>251</EventRecordID>
        <Correlation />
        <Execution ProcessID="576" ThreadID="1728" />
        <Channel>Directory Service</Channel>
        <Computer>DC02.mydomain.com</Computer>
        <Security UserID="S-1-5-7" />
      </System>
      <EventData>
        <Data>CN=user name ,OU=Users,OU=OU,OU=OU,OU=Customers,OU=AMR,DC=mydomain,DC=com</Data>
        <Data>3e367e43-e611-4d78-9e6e-57c87ee6064d._msdcs.mydomain.com</Data>
      </EventData>
    </Event>

    And here's the repadmin /showmeta output for this event

     

    31 entries.
    Loc.USN                           Originating DSA  Org.USN  Org.Time/Date
     Ver Attribute
    =======                           =============== ========= =============
     === =========
      37793      95130370-51b4-421a-abef-48cba23c4121  11864616 2010-01-27 09:41:09
       1 objectClass
      37793                         MSP2\DC02     37793 2011-04-13 06:09:07
       1 cn
      37793      95130370-51b4-421a-abef-48cba23c4121  11864616 2010-01-27 09:41:09
       1 sn
      37793      95130370-51b4-421a-abef-48cba23c4121  11864616 2010-01-27 09:41:09
       1 description
      37793      95130370-51b4-421a-abef-48cba23c4121  11864616 2010-01-27 09:41:09
       1 telephoneNumber
      37793      95130370-51b4-421a-abef-48cba23c4121  11864616 2010-01-27 09:41:09
       1 givenName
      37793      95130370-51b4-421a-abef-48cba23c4121  11864616 2010-01-27 09:41:09
       1 instanceType
      37793      95130370-51b4-421a-abef-48cba23c4121  11864616 2010-01-27 09:41:09
       1 whenCreated
      37793      b2ab9723-b2a2-42cf-80ea-7db152b4f249  11780591 2010-01-27 09:43:06
       2 displayName
      37793      95130370-51b4-421a-abef-48cba23c4121  11864616 2010-01-27 09:41:09
       1 nTSecurityDescriptor
      37793      95130370-51b4-421a-abef-48cba23c4121  11864616 2010-01-27 09:41:09
       1 name
      37793      825b4758-fa61-47bb-a815-ff92e3d04082  22409762 2010-10-31 19:34:39
       5 userAccountControl
      37793      95130370-51b4-421a-abef-48cba23c4121  11864617 2010-01-27 09:41:09
       1 codePage
      37793      95130370-51b4-421a-abef-48cba23c4121  11864617 2010-01-27 09:41:09
       1 countryCode
    3121146                         MSP2\DC03   7999975 2011-05-02 01:48:46
       8 dBCSPwd
      37793      95130370-51b4-421a-abef-48cba23c4121  11864617 2010-01-27 09:41:09
       1 logonHours
    3121146                         MSP2\DC03   7999975 2011-05-02 01:48:46
       8 unicodePwd
    3121146                         MSP2\DC03   7999975 2011-05-02 01:48:46
       8 ntPwdHistory
    3121146                         MSP2\DC03   7999975 2011-05-02 01:48:46
      11 pwdLastSet
      37793      95130370-51b4-421a-abef-48cba23c4121  11864617 2010-01-27 09:41:09
       1 primaryGroupID
    3121146                         MSP2\DC03   7999976 2011-05-02 01:48:46
       7 supplementalCredentials
      37793      95130370-51b4-421a-abef-48cba23c4121  11864616 2010-01-27 09:41:09
       1 objectSid
      37793      95130370-51b4-421a-abef-48cba23c4121  11864617 2010-01-27 09:41:09
       1 accountExpires
    3121146                         MSP2\DC03   7999975 2011-05-02 01:48:46
       8 lmPwdHistory
      37793      95130370-51b4-421a-abef-48cba23c4121  11864616 2010-01-27 09:41:09
       1 sAMAccountName
      37793      95130370-51b4-421a-abef-48cba23c4121  11864616 2010-01-27 09:41:09
       1 sAMAccountType
      37793      95130370-51b4-421a-abef-48cba23c4121  11864616 2010-01-27 09:41:09
       1 userPrincipalName
    3730153                         MSP2\DC02   3730153 2011-05-05 02:57:15
       8 lockoutTime
      37793      95130370-51b4-421a-abef-48cba23c4121  11864616 2010-01-27 09:41:09
       1 objectCategory
    3121031                         MSP2\DC03   7999948 2011-05-02 01:48:06
      22 lastLogonTimestamp
      37793      95130370-51b4-421a-abef-48cba23c4121  11864616 2010-01-27 09:41:09
       1 mail
    0 entries.
    Type    Attribute     Last Mod Time                            Originating DSA
    Loc.USN Org.USN Ver
    ======= ============  =============                           =================
    ======= ======= ===
            Distinguished Name
            =============================

    Thursday, May 5, 2011 1:05 PM
  • Here's the replsum

    . There does not appear to be any other error message to go with this and no users have reported any issues. The servers with the errors MMDC102 and MMDC103 (PDCe)

    Replication Summary Start Time: 2011-05-05 06:20:44

    Beginning data collection for replication summary, this may take awhile:
      ..............


    Source DSA          largest delta    fails/total %%   error
     CMDC01              21m:28s    0 /   5    0
     CMDC02              32m:58s    0 /  10    0
     CMDC00              13m:41s    0 /  10    0
     HEDC00              35m:20s    0 /   5    0
     HEDC01              35m:35s    0 /  10    0
     HEDC02              28m:35s    0 /  10    0
     HEDC03              27m:00s    0 /   5    0
     MMDC02              25m:04s    0 /  10    0
     MMDC03              28m:41s    0 /  20    0
     SADC00              29m:28s    0 /  10    0
     SADC01              31m:39s    0 /   5    0


    Destination DSA     largest delta    fails/total %%   error
     CMDC01              33m:13s    0 /   5    0
     CMDC02              21m:44s    0 /  10    0
     CMDC00              09m:02s    0 /  10    0
     HEDC00              35m:36s    0 /   5    0
     HEDC01              35m:24s    0 /  10    0
     HEDC02              27m:10s    0 /  10    0
     HEDC03              28m:48s    0 /   5    0
     MMDC02              29m:02s    0 /  15    0
     MMDC03              25m:04s    0 /  15    0
     SADC00              31m:46s    0 /  10    0
     SADC01              29m:50s    0 /   5    0


    Thursday, May 5, 2011 1:25 PM
  • Hello,

    please upload the following files so we can get an overview:

    ipconfig /all >c:\ipconfig.txt [all DCs]
    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt
    and don't run on Windows server 2008 R2]
    repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
    dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)

    As the output will become large, DON'T post them into the thread, please use Windows Sky Drive(with open access!) http://explore.live.com/windows-live-skydrive and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, May 5, 2011 10:27 PM
  • Please provide the result requested by Meinolf to analyze the issue in more detail way.

     

    Regards  


    Awinish Vishwakarma| MY Blog

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Friday, May 6, 2011 2:07 AM
  • Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 Foundation, Windows Server 2008 R2, Windows Server 2008 R2 Foundation, Windows Server 2012

    The tombstone lifetime in an Active Directory forest determines how long a deleted object (called a “tombstone”) is retained in Active Directory Domain Services (AD DS). The tombstone lifetime is determined by the value of the tombstoneLifetime attribute on the Directory Service object in the configuration directory partition.

    You can use this procedure to determine the tombstone lifetime for the forest.

    Membership in Domain Users, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

    To determine the tombstone lifetime for the forest using ADSIEdit

    1. Click Start, point to Administrative Tools, and then click ADSI Edit.

    2. In ADSI Edit, right-click ADSI Edit, and then click Connect to.

    3. For Connection Point, click Select a well known Naming Context, and then click Configuration.

    4. If you want to connect to a different domain controller, for Computer, click Select or type a domain or server: (Server | Domain [:port]). Provide the server name or the domain name and Lightweight Directory Access Protocol (LDAP) port (389), and then click OK.

    5. Double-click ConfigurationCN=Configuration,DC=ForestRootDomainNameCN=Services, and CN=Windows NT.

    6. Right-click CN=Directory Service, and then click Properties.

    7. In the Attribute column, click tombstoneLifetime.

    8. Note the value in the Value column. If the value is <not set>, the value is 60 days.

    To determine the tombstone lifetime for the forest using Dsquery

    1. Open a Command Prompt window. To open a command prompt, click Start, click Run, type cmd, and then press ENTER.

    2. At the command prompt, type the following command, and then press ENTER:

      dsquery * "cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=<forestDN>" –scope base –attr tombstonelifetime
      

      Be sure to replace <forestDN> with the actual distinguished name of the forest. For example, if your forest name is corp.proseware.com, type the following, and then press ENTER:

      dsquery * "cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=corp,dc=proseware,dc=com" –scope base –attr tombstonelifetime

    Thx. Semih SOYKAL

    Monday, January 21, 2013 11:15 AM
  • If the health of DC is good and there is no replication issue you can ignore this error as this could be due to Active Directory collision for the update.

    Simultaneous changes against Active Directory object attributes on different domain controllers may cause an Active Directory collision for the update. When this occurs, NTDS replication warnings 1083 or 1061, or SAM error ID 12294 may be logged.http://support.microsoft.com/kb/306091


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    Monday, January 21, 2013 11:51 AM