|
|
 FAQ
 Search
 Memberlist
 Usergroups
 Register
 Profile
 Private messages
 Log in
|
|
| Author |
Message |
Hens
Guest
|
 Posted: Tue May 16, 2006 11:31 am Post subject: Security Descriptor Propagation (Cleanup) |
 |
|
Hi,
I hope someone can help me; my Exchange 2003 (upgraded from 5.5 to 2003)
servers have the following problem,
(From a newsgroup post: "You are getting
JET_errRecordTooBigForBackwardCompatibility. Your object has too many values
on it. SDP needs to stamp another one, and is unable to do it, because the
object is full. You can only have ~850 values (non-linked) on an object in
W2K mode, and ~1300 in w2k3 mode. Just go to this object and remove some
values. Most likely, you have too many certs on this object. I have also seen
too many IM contacts. Use adsiedit or ldp. LDP is the easiest, it shows all
attributes when you double-click on the object.")
The events on my Exchange servers are:
Event Type: Error
Event Source: NTDS SDPROP
Event Category: Internal Processing
Event ID: 2008
Date: 2006/05/12
Time: 01:17:36 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: Server01
Description:
Internal error: The security descriptor propagation task encountered an
error while processing the following object. The propagation of security
descriptors may not be possible until the problem is corrected.
Object:
CN=Business Owners,CN=Microsoft Exchange System Objects,DC=CompanyA,DC=com
Additional Data
Error value:
-1112 []
Internal ID:
2080490
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Does anyone know exactly know how to cleanup this objects, I tried ADSIEDIT
but can’t seem to cleanup some of the objects. This is just one example of an
object but there are many more.
Many Thanks |
|
| Back to top |
|
 |
|
|
Carlo Cacciafesta
Guest
|
| Posted: Tue May 16, 2006 1:03 pm Post subject: RE: Security Descriptor Propagation (Cleanup) |
|
|
"Hens" wrote:
| Quote: | Hi,
I hope someone can help me; my Exchange 2003 (upgraded from 5.5 to 2003)
servers have the following problem,
(From a newsgroup post: "You are getting
JET_errRecordTooBigForBackwardCompatibility. Your object has too many values
on it. SDP needs to stamp another one, and is unable to do it, because the
object is full. You can only have ~850 values (non-linked) on an object in
W2K mode, and ~1300 in w2k3 mode. Just go to this object and remove some
values. Most likely, you have too many certs on this object. I have also seen
too many IM contacts. Use adsiedit or ldp. LDP is the easiest, it shows all
attributes when you double-click on the object.")
The events on my Exchange servers are:
Event Type: Error
Event Source: NTDS SDPROP
Event Category: Internal Processing
Event ID: 2008
Date: 2006/05/12
Time: 01:17:36 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: Server01
Description:
Internal error: The security descriptor propagation task encountered an
error while processing the following object. The propagation of security
descriptors may not be possible until the problem is corrected.
Object:
CN=Business Owners,CN=Microsoft Exchange System Objects,DC=CompanyA,DC=com
Additional Data
Error value:
-1112 []
Internal ID:
2080490
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Does anyone know exactly know how to cleanup this objects, I tried ADSIEDIT
but can’t seem to cleanup some of the objects. This is just one example of an
object but there are many more.
Many Thanks
|
Looks like that object (CN=Business Owners,CN=Microsoft Exchange System
Objects,DC=CompanyA,DC=com) contains a value too high in one of his
attributes. See also http://support.microsoft.com/kb/914036/en-us.
It seems to me that either you can correct that object or you have to raise
the forest functional level.
Regards,
Carlo |
|
| Back to top |
|
|
Carlo Cacciafesta
Guest
|
| Posted: Tue May 16, 2006 1:10 pm Post subject: RE: Security Descriptor Propagation (Cleanup) |
|
|
"Carlo Cacciafesta" wrote:
| Quote: |
Looks like that object (CN=Business Owners,CN=Microsoft Exchange System
Objects,DC=CompanyA,DC=com) contains a value too high in one of his
attributes. See also http://support.microsoft.com/kb/914036/en-us.
It seems to me that either you can correct that object or you have to raise
the forest functional level.
Regards,
Carlo
|
Here I paste a little tutorial on how to use Adsiedit, if you want you can
read the full article here:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbg_dat_namy.asp
.. Remember to verify that you have a full backup before starting making
changes.
-------------------------------------------------------------
To use ADSI Edit, install the Support Tools that are located in the
Support\Tools folder on the Windows 2000 Server operating system CD. To
install the tools, double-click the Setup icon in that folder. For more
information about using ADSI Edit, see Microsoft Windows 2000 Support Tools
Help. For information about installing and using the Windows 2000 Support
Tools and Support Tools Help, see the file Sreadme.doc in the Support\Tools
folder of the Windows 2000 operating system CD.
To view or change attribute values by using ADSI Edit
On the Start menu, point to Programs, Windows 2000 Support Tools, Tools, and
then click ADSI Edit.
If the directory partition whose attributes you want to change or view is
not displayed, right-click the ADSI Edit icon, and then click Connect to.
If the current computer is not the domain controller on which you want to
change attributes, under Computer, click Select or type a domain controller,
and then select or type the computer name.
To select the directory partition, under Connection Point, click Naming
Context.
In the Naming Context list, click a directory partition, and then click OK.
Note
In the Name box, the name of the directory partition that you selected is
displayed. You can replace this name with a name that better identifies the
specific connection.
Navigate to the object whose property values you want to view or change.
In the Properties dialog box, in the Select which properties to view box,
click one these alternatives: Optional, Mandatory, or Both.
In the Select a property to view box, click the property that you want to
view.
To change a property value, type the value in the Edit Attribute box.
Click Set, and then click OK.
When you view properties on cn=Directory Service,cn=Windows NT,
cn=Services,cn=Configuration,dc=forestRootDomain, if no value is set (which
means that the default is in effect), the value that you type in the Edit
Attribute box replaces the default value when you click Set. |
|
| Back to top |
|
|
Hens
Guest
|
| Posted: Tue May 16, 2006 1:14 pm Post subject: RE: Security Descriptor Propagation (Cleanup) |
|
|
I did check out this article, the thing is, the client does not want to raise
the functional level because of customized applications that they wrote (They
are scared its going to brake the custom allocation) so I need to fix this
manually. How exactly can I fix this, do you know please?
Thanks
"Carlo Cacciafesta" wrote:
| Quote: | "Hens" wrote:
Hi,
I hope someone can help me; my Exchange 2003 (upgraded from 5.5 to 2003)
servers have the following problem,
(From a newsgroup post: "You are getting
JET_errRecordTooBigForBackwardCompatibility. Your object has too many values
on it. SDP needs to stamp another one, and is unable to do it, because the
object is full. You can only have ~850 values (non-linked) on an object in
W2K mode, and ~1300 in w2k3 mode. Just go to this object and remove some
values. Most likely, you have too many certs on this object. I have also seen
too many IM contacts. Use adsiedit or ldp. LDP is the easiest, it shows all
attributes when you double-click on the object.")
The events on my Exchange servers are:
Event Type: Error
Event Source: NTDS SDPROP
Event Category: Internal Processing
Event ID: 2008
Date: 2006/05/12
Time: 01:17:36 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: Server01
Description:
Internal error: The security descriptor propagation task encountered an
error while processing the following object. The propagation of security
descriptors may not be possible until the problem is corrected.
Object:
CN=Business Owners,CN=Microsoft Exchange System Objects,DC=CompanyA,DC=com
Additional Data
Error value:
-1112 []
Internal ID:
2080490
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Does anyone know exactly know how to cleanup this objects, I tried ADSIEDIT
but can’t seem to cleanup some of the objects. This is just one example of an
object but there are many more.
Many Thanks
Looks like that object (CN=Business Owners,CN=Microsoft Exchange System
Objects,DC=CompanyA,DC=com) contains a value too high in one of his
attributes. See also http://support.microsoft.com/kb/914036/en-us.
It seems to me that either you can correct that object or you have to raise
the forest functional level.
Regards,
Carlo |
|
|
| Back to top |
|
|
Hens
Guest
|
| Posted: Tue May 16, 2006 2:14 pm Post subject: RE: Security Descriptor Propagation (Cleanup) |
|
|
There is allot of values in the properties box of CN=Business Owners that I
can edit, what is the exact one and what should it be edited to get rid of
this event in event viewer?
Thanks
"Carlo Cacciafesta" wrote:
| Quote: | "Carlo Cacciafesta" wrote:
Looks like that object (CN=Business Owners,CN=Microsoft Exchange System
Objects,DC=CompanyA,DC=com) contains a value too high in one of his
attributes. See also http://support.microsoft.com/kb/914036/en-us.
It seems to me that either you can correct that object or you have to raise
the forest functional level.
Regards,
Carlo
Here I paste a little tutorial on how to use Adsiedit, if you want you can
read the full article here:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbg_dat_namy.asp
. Remember to verify that you have a full backup before starting making
changes.
-------------------------------------------------------------
To use ADSI Edit, install the Support Tools that are located in the
Support\Tools folder on the Windows 2000 Server operating system CD. To
install the tools, double-click the Setup icon in that folder. For more
information about using ADSI Edit, see Microsoft Windows 2000 Support Tools
Help. For information about installing and using the Windows 2000 Support
Tools and Support Tools Help, see the file Sreadme.doc in the Support\Tools
folder of the Windows 2000 operating system CD.
To view or change attribute values by using ADSI Edit
On the Start menu, point to Programs, Windows 2000 Support Tools, Tools, and
then click ADSI Edit.
If the directory partition whose attributes you want to change or view is
not displayed, right-click the ADSI Edit icon, and then click Connect to.
If the current computer is not the domain controller on which you want to
change attributes, under Computer, click Select or type a domain controller,
and then select or type the computer name.
To select the directory partition, under Connection Point, click Naming
Context.
In the Naming Context list, click a directory partition, and then click OK.
Note
In the Name box, the name of the directory partition that you selected is
displayed. You can replace this name with a name that better identifies the
specific connection.
Navigate to the object whose property values you want to view or change.
In the Properties dialog box, in the Select which properties to view box,
click one these alternatives: Optional, Mandatory, or Both.
In the Select a property to view box, click the property that you want to
view.
To change a property value, type the value in the Edit Attribute box.
Click Set, and then click OK.
When you view properties on cn=Directory Service,cn=Windows NT,
cn=Services,cn=Configuration,dc=forestRootDomain, if no value is set (which
means that the default is in effect), the value that you type in the Edit
Attribute box replaces the default value when you click Set.
|
|
|
| Back to top |
|
|
Carlo Cacciafesta
Guest
|
| Posted: Tue May 16, 2006 3:20 pm Post subject: RE: Security Descriptor Propagation (Cleanup) |
|
|
"Hens" wrote:
| Quote: | There is allot of values in the properties box of CN=Business Owners that I
can edit, what is the exact one and what should it be edited to get rid of
this event in event viewer?
Thanks
|
I think you could try to search the long attribute using ldp.exe, from the
Support Tools. This tool can make customized queries through the "Search"
option but actually I don't know how to help you more than this.
Hope it helps.
Carlo |
|
| Back to top |
|
|
Joe Richards [MVP]
Guest
|
| Posted: Tue May 16, 2006 9:52 pm Post subject: Re: Security Descriptor Propagation (Cleanup) |
|
|
Remove some of the values from whatever non-linked multivalued attribute is
hitting the ~850 values mark.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Hens wrote:
| Quote: | I did check out this article, the thing is, the client does not want to raise
the functional level because of customized applications that they wrote (They
are scared its going to brake the custom allocation) so I need to fix this
manually. How exactly can I fix this, do you know please?
Thanks
"Carlo Cacciafesta" wrote:
"Hens" wrote:
Hi,
I hope someone can help me; my Exchange 2003 (upgraded from 5.5 to 2003)
servers have the following problem,
(From a newsgroup post: "You are getting
JET_errRecordTooBigForBackwardCompatibility. Your object has too many values
on it. SDP needs to stamp another one, and is unable to do it, because the
object is full. You can only have ~850 values (non-linked) on an object in
W2K mode, and ~1300 in w2k3 mode. Just go to this object and remove some
values. Most likely, you have too many certs on this object. I have also seen
too many IM contacts. Use adsiedit or ldp. LDP is the easiest, it shows all
attributes when you double-click on the object.")
The events on my Exchange servers are:
Event Type: Error
Event Source: NTDS SDPROP
Event Category: Internal Processing
Event ID: 2008
Date: 2006/05/12
Time: 01:17:36 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: Server01
Description:
Internal error: The security descriptor propagation task encountered an
error while processing the following object. The propagation of security
descriptors may not be possible until the problem is corrected.
Object:
CN=Business Owners,CN=Microsoft Exchange System Objects,DC=CompanyA,DC=com
Additional Data
Error value:
-1112 []
Internal ID:
2080490
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Does anyone know exactly know how to cleanup this objects, I tried ADSIEDIT
but can’t seem to cleanup some of the objects. This is just one example of an
object but there are many more.
Many Thanks
Looks like that object (CN=Business Owners,CN=Microsoft Exchange System
Objects,DC=CompanyA,DC=com) contains a value too high in one of his
attributes. See also http://support.microsoft.com/kb/914036/en-us.
It seems to me that either you can correct that object or you have to raise
the forest functional level.
Regards,
Carlo |
|
|
| Back to top |
|
|
|
|
|
|
