Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1083 Source: NTDSReplication

Level
Description
Replication warning: The directory is busy. It couldn't update object CN=GUP1428,CN=Users,DC=gen,DC=mydom,DC=com with changes made by directory 610dc995-6f03-4a6d-bf33-9cfeaf09a682._msdcs.mydom.com. Will try again later.
Comments
 
According to a newsgroup post: "Unless these turn into errors message 1083 events are to be expected. There is always going to be instances in which REPL or the AD is going to be busy and the request is going to be queued. If you start to see the same transaction refused time and again, it, then would be considered an issue as that *one* transaction is never getting committed."
I received this Informational event on both Primary and Secondary 2003 Domain Controllers preceeded by EventID warning 1955 after changing the Domain Administrator password. I found several services using the Administrator credentials as well as a few servers logged in over RDP as Administrator with the sessions disconnected. It appears as though all of the services attempting to authenticate the old password hammered the 2 DCs and it tried to lock the Admin account. I also got event ID 12294 errors during the same timeframe associated to the attempt to lock out the Admin account.

Logged all sessions off and updated service credentials and the warning and error events on the DCs stopped.
In our case the source of the issue was malware brute force attacking user accounts. DC security logs delivered the name of the attacking computer.
This might be caused by the combination of active "account lockout policies" set via group polices and a computer with Win32/Conficker-Worm installed connected to the network. The worm tries to logon to network shares with bad combinations of username and password, which locks the user accounts. This will be replicated to the other domain controllers and if the infected computer is still active the event 1083 and 1955 is logged.
I have received this warning on a Windows Server 2003 server with a slightly different description: “Active Directory could not update the following object with changes received from the domain controller at the following network address because Active Directory was busy processing information”.
This warning started to appear after the Administrator's password was changed, and repeated approximately once an hour. It was accompanied by EventID 861 from source Security in the Security Log mentioning the following parameters:
Path: C:\WINDOWS\system32\tcpsvcs.exe
User account: SYSTEM
User domain: NT AUTHORITY.
The problem was caused by the Microsoft DHCP Server (running on that server) that used the Administrator's credentials for DNS dynamic updates registration. The DNS dynamic updates registration should use another dedicated domain account whose password does not need to be changed for security reasons.


This behavior is symptomatic of a duplicate object in Active Directory of the replication partner. See WITP80645 for some steps you should take in order to fix this problem.
As per Microsoft: "This problem may occur if a child domain is not completely removed. As a result, some domain controllers in your organization may have conflicting information about the child domain". See ME825952 for a hotfix applicable to Microsoft Windows 2000.

See ME834926 for a hotfix applicable to Microsoft Windows Server 2003.
The cause for the repeated occurrence of this event on our network was quite difficult to track down and was in the end attributed to a service trying to logon with an invalid password and thereby locking the account mentioned in the Event description.
In our specific scenario, the account mentioned in the Event description was used to install the Trend TVCS Agent service. Due to our company security policy, however, passwords have to be changed every few weeks. Since the Trend TVCS Agents stores an encrypted version of the password in the registry, the next time this service tries to activate, it cannot and ultimately locks out the account (as can be verified in the Security Event Log on the server the TVCS Agent service is running on).
As a conclusion, do not install services with accounts that have a password policy applied to them. The Trend TVCS Agent service had to be reinstalled using another, service specific account.
This error generally occurs when a duplicate connection object exists in Active Directory of the destination replication partner. Because this connection object is used to facilitate replication with the local domain controller, updates are impossible when replication does occur.

The description of event ID 1083 contains:

The distinguished name of the object causing the problem.
The GUID-based DNS name of the replication partner. This name is composed of the GUID of the NTDS Settings object of the replication partner, followed by _msdcs.corp.hay-buv.com.
To resolve the problem, perform the following actions:

Ping the GUID-based DNS name to get the IP address of the replication partner.
Run Ldp.exe from Windows 2000 Support Tools, and then connect to this IP address by using the connect option from the Connection menu. Select the Bind option from the Connection menu, and then enter the credentials of an administrator account. Select the Search option from the Browse menu. In the Search dialog box, select the Subtree option. In the Base Dn option, enter the following information:
The distinguished name of the domain to search for a user or a computer: dc=branches, dc=company, dc=com or the distinguished name of the configuration container to search for connection objects.

Click Run. The right pane of the widow displays the different locations in which the object was found. Select the appropriate result from the list. Delete the other returned options by using the Delete option of the Browse menu. Enter the distinguished name of the object to delete:
CN=DC2, CN=Servers, CN=Bad-Site, CN=Sites, CN=Configuration, DC=corp, DC=hay-buv, DC=com

Ensure that the object has been properly deleted in the right pane of the Ldp.exe window.
If no duplicate exists, move the object to a different site or organizational unit. Document this for future reference in case the object needs to be moved again at a later date. Synchronize the configuration and domain naming contexts by typing the following commands at the command prompt:

repadmin /sync CN=Configuration, DC=corp, DC=hay-buv, DC=com
%computername% <rep_partner_GUID>
repadmin /sync DC=branches, DC=corp, DC=hay-buv, DC=com
%computername% <rep_partner_GUID>
If replication completes successfully, the event log should not show any new instances of event ID 1083.

If necessary, move the object back to its original location, and then resynchronize the configuration and domain naming contexts by using the commands above.
Windows 2000 Advanced Server with SP3 installed (German version). Event 1083 was logged like described at ME296714. The cause of this was that we had some orphan DCs in the Domain Controler OU and the event mentioned above was logged after switching the AD to native mode.
We removed the orphan entries but the event was still logged every three hours. We checked ME285858, ME306091 but they did not help. We also tried ME296714. At this stage we could not see any duplicated entry.

We then asked the customer to run the Microsoft Product Support's Customer Configuration Capture Tool report for the directory services. We reviewed the log file and we created this action plan for then customer:

There is a problem with the "Admin" user account. Please find this account in your Domain and reset the password. Find out if some services are using this account and make sure they get changed to the new passsword. Check to see if you still have the issue. If the above does not work, the continue with:

Move the account to another OU and run repadmin synall from command prompt. For example:

c:\>repadmin /syncall  <name of the DC partner>

If it corrected the problem then move the user back to the original OU. If it doesn't correct the problem continue with:
1. Start the LDP from a Run command on the DC that generated the event ID.
2. From the connection menu select "Connect" then click ok to accept default setting.
3. Again from the connection menu select "Bind" then click ok on the bind screen to accept default setting.
4. From the View menu select "Tree" option to expand the view.
5. From the left hand pane highlight the domain DN name. For example you will see dc=domainname, dc=com. Highlight dc=domainname, dc=com by clicking on it.
6. From the Browse menu select Search option. In the search Base DN enter your domain dn name. For example: Base Dn: DC=domainname, DC=common the Filter option enter the object name to search. For example I am searching for an object name McVaugh that might be duplicate and as seen in the decription of
the event log.
Make sure to put the ( ) as seen below. Filter: (CN=McVaugh)
7. On the Scope select "Subtree" option and click Run to start the search.
8. Once the objects found and if there are duplicate objects with the same name decide on a good object then delete the other. An example of an object found: ***Searching...ldap_search_s(ld, "DC=domainname, DC=com", 2, "(CN=something)", attrList, 0, &msg)Result <0>: (null)Matched DNs: Getting 1 entries:>> Dn: CN=McVaugh, CN=Users, DC=domainname, DC=com1> canonicalName: domainname.com/Users/Something; 1> cn: McVaugh; 1> distinguishedName: CN=McVaugh, CN=Users, DC=domainame, DC=com; 4> objectClass: top; person; organizationalPerson; user; 1> name: something;
9. To delete the bad object do the following:
From the main menu click on Browse then select "Delete".
Enter the DN name of the object to be deleted.
For example I am deleting object name something. DN: CN=something, CN=Users, DC=domainname, DC=com

An example of object deleted message:ldap_delete_s(ld, "CN=something, CN=Users, DC=domainname, DC=com");Deleted "CN=something, CN=Users, DC=domainname, DC=com"-----------
10. Close the LDP session.
11. From the CMD prompt sync the active directory database with all the other domain controllers by runing the following command and make sure you are
getting a message indicating that was successful.
For example: c:\>repadmin /syncall <name of the DC partner>. You might want to check ME244344.
This issue may occur if a duplicate object is present in Active Directory for the replication partner of the local domain controller. When the local domain controller receives the replication updates that contain duplicate objects from its replication partner, the local domain controller cannot perform the updates on those objects, and therefore it logs a warning in the Directory Service event log. See ME285858 and ME296714.
Simultaneous changes against Active Directory object attributes on different domain controllers may cause an Active Directory collision for the update. See ME306091 for details.
This error was being written a few times in my Event Log until I noticed the user was locked out. Unlocking the account solved the replication problem and caused the errors to go away.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...