SYMPTOMS
You are running or managing applications that use information from the Active Directory directory service in Microsoft Windows Server 2003 or in Microsoft Windows 2000 Server. You may receive errors when the applications use information for linked attributes. For example, you may receive the following error:
The directory datatype cannot be converted to / from a native DS datatype.
In this case, when you dump the affected object by using the LDIFDE utility (Ldifde.exe), an attribute is listed. However, the attribute has no value.
The next line in the output has the next attribute. For a group and its
managedBy attribute, the output may look similar to the following:
...
showInAddressBook:
<Address Book object DN>
managedBy:
legacyExchangeDN: <X500 name>
groupType: -2147483640
...
CAUSE
An application can add an object link that refers to the internal root object of the Active Directory database in the following operating systems:
- Windows Server 2003 without Service Pack 1
- Windows 2000 Server
- Windows 2000 Server with all service packs
This object does not have a name or any other properties that are usable for applications. Therefore, the client applications display error messages that do not indicate the cause of a problem.
RESOLUTION
If you use domain controllers that are running Windows Server 2003 with Service Pack 1, the problem does not occur.
You cannot solve the problem by deleting the attribute. If you remove the attribute, the following error will be logged in the Application event log:
Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1694
Description:
Active Directory could not update the following object with an attribute value change received from the following source domain controller. This is because an error occurred during the application of the changes to Active Directory on the local domain controller.
Object:
<group DN>
Object GUID:
<GUID>
Source domain controller:
<GUID-based DC name>
Attribute:
managedBy:
Attribute value:
[]
Attribute value GUID:
00000000-0000-0000-0000-000000000000
Present:
0
This operation will be tried again at the next scheduled replication. The synchronization of the local domain controller with the source domain controller is blocked until the update problem is corrected.
Additional Data
Error value:
The replication system encountered an internal error.
If this error is logged, the object is in a broken state. To achieve the original state or to delete the object, you can only run an authoritative restore on the object. To repair objects that exhibit this behavior, we recommend that you delete and rebuild the object by using the LDIFDE utility.
Caution All back-links are removed when you delete an object.
If you have to keep certain attributes that you cannot set the value on, such as the
objectSid attribute or the
SidHistory attribute, delete and then undelete the object. (Windows Server 2003 Service Pack 1 retains the
SidHistory attribute on when you delete an object.) When you delete and undelete an object, you do not have to run a semantic checker.
However, no tools currently exist to recover the attributes and the back-links. To restore group memberships, you can use the Groupadd.exe tool.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
840001
How to restore deleted user accounts and their group memberships in Active Directory
If you use the Microsoft Provisioning System, you can use the system to recover the attributes and the back-links.
Some backup and recovery applications may offer a more convenient way of removing these problematic attributes. The application must let you select attributes during a restore operation. For example, an application must let you exclude the
managedBy attribute when you restore a deleted object.