Event ID 1084 — Replication Changes

  • Article

Applies To: Windows Server 2008 R2

The replication process in Active Directory Domain Services (AD DS) ensures that domain controllers are able to maintain a consistent and updated Active Directory database. Because the Active Directory database holds essential information about user, group, and computer accounts, as well as other resources and services and the network configuration, keeping this information consistent on all the domain controllers is important. Failure of the Active Directory replication process can result in the following problems:

  • Failure of applications that rely on consistent Active Directory information to function properly
  • Logon rejections
  • Password change failures
  • Network service failures
  • Incorrect or outdated information retrieval

For more information, see How Active Directory Replication Topology Works (https://go.microsoft.com/fwlink/?LinkID=93526).

Event Details

Product: Windows Operating System
ID: 1084
Source: Microsoft-Windows-ActiveDirectory_DomainService
Version: 6.0
Symbolic Name: DIRLOG_DRA_UPDATE_FAILURE_NOT_BUSY
Message: Preferred bridgehead servers have been selected to support intersite replication with the following site using the following transport. However, none of these preferred bridgehead servers can replicate the following directory partition. Site:%1 Transport:%2 Directory partition:%3 User Action Using Active Directory Sites and Services, do the following: - Configure a domain controller that can support replication of this directory partition as a preferred bridgehead server for this transport. You can do this by modifying the corresponding server. - Verify that the corresponding Server objects have a network address for this transport. For example, domain controllers that replicate using the SMTP transport must have a mailAddress attribute. This attribute is normally configured automatically after the SMTP service is installed. Until this is rectified, the Knowledge Consistency Checker (KCC) will consider all domain controllers in this site as possible bridgehead domain controllers for this directory partition.

Resolve

Correct the failure to update the Active Directory database

To address this issue:

  • Ensure that there is free disk space on the volume that hosts the database for Active Directory Domain Services (AD DS).
  • Ensure that access to the database, transaction files, and log files is not blocked.
  • Ensure that the database is not corrupted.
  • Compact the Active Directory database.

Ensure that there is free disk space on the volume that hosts the Active Directory database

If the volume that hosts the Active Directory database is low on free disk space, it is imperative to either create additional disk space on that volume or move the Active Directory database to a different volume. If you are not sure where the Active Directory database and log files are stored, you can use the ntdsutil command to determine their location.

To perform these procedures, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

Note: Before you stop the NTDS service, consider temporarily disabling the password protected screen saver, if it is enabled. If the password protected screen saver starts while the NTDS service is stopped, you will have to restart the computer to log in.

To determine the location of the Active Directory database and log files:

  1. On the domain controller that is reporting the issue, open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Stop the Active Directory database process: type net stop ntds, and then press ENTER.
  3. To stop dependent services, type y, and then press ENTER.
  4. At the command prompt, type ntdsutil, and then press ENTER. The ntdsutil: prompt appears.
  5. Type activate instance ntds, and then press ENTER.
  6. Type list instances, and then press ENTER. The installation folder and log folder path appear, along with other configuration details.
  7. Type quit, and then press ENTER. The command prompt appears.
  8. Start the Active Directory database process: type net start ntds, and then press ENTER.

To check the available disk space on the volume that hosts the Active Directory database:

  1. From a command prompt that you opened as administrator, type cd /d volume, and then press ENTER. For volume, substitute the actual volume label on which Active Directory database (ntds.dit) is stored. For example, if you see that the database file is located in c:\Windows\NTDS\ntds.dit, type cd /d c:, and then press ENTER.
  2. Type dir, and then press ENTER. Note the amount of free disk space that is reported. If there is less than 100,000,000 bytes of free space reported on the partition or partitions that host the Active Directory database or log files, consider moving or removing all non-Active Directory-related files on the volume.

Note: If the Active Directory log files are on a different volume than the database, use the procedure in this section to check the free space on the volume that contains the log files.

If it is not possible to move enough files to create adequate free space on the volume, consider moving the Active Directory database to a different volume by using the ntdsutil command.

To move the Active Directory database:

  1. Stop the Active Directory database process: at a command prompt that you opened as an administrator, run the command net stop ntds.
  2. To stop dependent services, type y, and then press ENTER.
  3. Type ntdsutil, and then press ENTER.
  4. Type activate instance ntds, and then press ENTER.
  5. Type files, and then press ENTER.
  6. Type move db to path, and then press ENTER, where path is the actual file folder system path to which you want to move the database for d:\ntds.
  7. Type move logs to path, and then press ENTER, where path is the actual file system path to the folder to which you want to move the database.
  8. Start the Active Directory database process: run the command net start ntds.

Note: You can use a similar set of commands to move the logs to a different location, except that the command to move the log files is move logs instead of move db, for example, move logs to d:\ntds.

Ensure that access to the database, transaction files, and log files is not blocked

Ensure that the antivirus software on the domain controller that is reporting the error is configured not to scan the location of the Active Directory database, transaction files, and log files. Check your antivirus software vendor's directions for configuring exclusions.

You can use Process Monitor to determine if the Active Directory database or its log files are being used by another program. You can download the Process Monitor utility from the Microsoft Web site; see Process Monitor v1.26 (https://go.microsoft.com/fwlink/?LinkId=104309). Install it according to the directions at the download location.

  1. Open Process Monitor. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. On the Filter menu, click the Filter menu option.
  3. In the Process Monitor Filter dialog box, configure the selection boxes under Display entries matching these to read Path begins with path then include, where path is the actual file system path to the folder in which the AD DS database is stored, for example c:\Windows\NTDS.
  4. Click Add. If the Active Directory log files are stored in a different folder, use the same procedure to include that folder's file system path.
  5. Click OK.

The only process that typically appears in the Process Name column as accessing the Active Directory database and its log files is Lsass.exe. If you see another process name listed, you can right-click it and then click Search Online to try to determine what the process is and how to control it. If you recognize the process as part of an application, see the application vendor documentation or support to determine how to configure the process so that it does not access the Active Directory database and log files.

Check the integrity of the Active Directory database

To verify that the Active Directory database is not corrupted, you can use the Semantic database analysis option in the Ntdsutil tool.

To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

To check the integrity of the Active Directory database:

  1. Open a command prompt as an administrator.
  2. Stop the Active Directory database process: type net stop ntds, and then press ENTER.
  3. To stop dependent services, type y, and then press ENTER.
  4. Type ntdsutil, and then press ENTER.
  5. Type activate instance ntds, and then press ENTER.
  6. Type semantic database analysis, and then press ENTER.
  7. Type go, and then press ENTER. If the semantic database analysis reports errors, type go fixup, and then press ENTER.
  8. Type quit, and then press ENTER twice. The command prompt appears.
  9. Type net start ntds, and then press ENTER.

Compact the Active Directory database

Compacting the Active Directory database reduces the file size of the database by removing empty data structures. Compacting the database may also resolve some data inconsistencies.

Note: To compact the Active Directory database, you must have enough free disk space to approximately double the size of the existing database. If you do not have that much room on the existing partition on which AD DS is stored, compact the database to another volume where enough space is available.

To perform these procedures, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

To compact the Active Directory database:

  1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. At the command prompt, type net stop ntds, and then press ENTER.
  3. At the command prompt, type ntdsutil, and then press ENTER.
  4. At the command prompt, type Activate Instance NTDS, and then press ENTER.
  5. At the command prompt, type files, and then press ENTER.
  6. At the command prompt, type compact to folderLocation, and then press ENTER. For folderLocation, substitute a folder location to which you want to create the compacted database. For example, if you want to compact the database to a folder named Data on the c: drive, type compact to c:\data, and then press ENTER.
  7. When the compaction is complete, the command output gives directions about how to copy the compacted database over the existing database.To exit Ntdsutil, type quit, and then press ENTER twice.
  8. If you have enough disk space, you can save a copy of the existing database (Ntds.dit). For example, if the existing database is c:\windows\ntds\ntds.dit and the compacted database is c:\data\ntds.dit, rename the existing database to ntds.old by typing the following at a command prompt: move c:\windows\ntds\ntds.dit ntds.old, and then pressing ENTER. If there is not enough space on a single volume to hold two copies of the database, type a path to a volume or shared network resource that has enough space. For example, type move c:\windows\ntds\ntds.dit f:\backup\ntds.old, and then press ENTER.
  9. Next, move the compacted database to the location of the previous database. Continuing with the previous example, type move c:\data\ntds.dit c:\windows\ntds\ntds.dit, and then press ENTER.
  10. Delete the log files, as indicated after the compaction routine completes. For example, if your Ntds.dit database is in the c:\windows\ntds folder, type del c:\windows\ntds\*.log, and then press ENTER.
  11. Type net start ntds, and then press ENTER. This command clears the Safe Mode boot option, which causes the domain controller to start in normal mode.

When you confirm that the domain controller is functioning properly, you can delete the renamed database. For example, if the Ntds.old database is located in the c:\Windows\NTDS folder, open a command prompt, type del c:\Windows\NTDS\ntds.old, and then press ENTER to delete the old renamed database. If the domain controller does not function normally when you start the NTDS service, you can stop the NTDS service and replace the Ntds.dit database with the Ntds.old database. For example, you can type move f:\backup\ntds.old c:\windows\ntds\ntds.dit, and then press ENTER. If compacting the database does not resolve the error condition, you may have to restore the database from backup media.

Note: If you disabled the password protected screen saver, you can enable it when the NTDS service is running.

If you are still unable to resolve the error, try the other potential solutions that are described in article 837932 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=104312).

Verify

Perform the following tasks using the domain controller from which you want to verify that Active Directory replication is functioning properly.

To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

To verify that Active Directory replication is functioning properly:

  1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Run the command repadmin /showrepl. This command displays the status reports on all replication links for the domain controller. Active Directory replication is functioning properly on this domain controller if all status messages report that the last replication attempt was successful.

If there are any indications of failure or error in the status report following the last replication attempt, Active Directory replication on the domain controller is not functioning properly. If the repadmin command reports that replication was delayed for a normal reason, wait and try repadmin again in a few minutes.

Replication Changes

Active Directory