Error message when you add a group as a member of another group from a different domain in Windows Server 2003 Active Directory: "Directory Service is too busy"

Consider the following scenario:

• In the Windows Server 2003 Active Directory directory service, you create a container object, and then you rename this container object. For example, you create a "Test1" object of the "container" type, and then you rename it as "Test2."
• You create another container object by using a different object type and by using the name of the first container object. For example, you create another container object of the "organizationalUnit" type, and you name it "Test1."
• You create a group in the new Test1 container object. You add this new group as a member of another group from a different domain.

In this scenario, the attempt to add this new group as a member of another group fails, and you receive the following error message:Additionally, Active Directory replication fails. When Active Directory begins to replicate, the following events are logged in the Directory Service log.

Event ID 1084

Type: Error
Source: NTDS Replication
Category: Replication
Event ID: 1084
Description:
DN_name The object requested was not found, but an object with that key was found. 8527

Event ID 2108

Type: Error
Source: NTDS Replication
Event ID: 2108
Category: Internal Configuration
Computer: DomainControllerName
Description:
This event contains REPAIR PROCEDURES for the 1084 event which has previously been logged. This message indicates a specific issue with the consistency of the Active Directory database on this replication destination. A database error occurred while applying replicated changes to the following object. The database had unexpected contents, preventing the change from being made.

Object: DN Object GUID: GUID1 Source domain controller: GUID2._msdcs.forest
User Action Please consult KB article 837932, http://support.microsoft.com/?id=837932.
A subset of its repair procedures are listed here.

Additional Data
Primary Error value: 8527 The object requested was not found, but an object with that key was found. Secondary Error value: -1605 JET_errKeyDuplicate, Illegal duplicate key

When the parent object of an object changes from one type to another, the relative distinguished name (also known as RDN) type also changes. However, in the scenario that is described in the "Symptoms" section, a conflict occurs over the relative distinguished name type. This conflict persists even while the group membership of the child object is updated. Therefore, the membership update process fails.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must have the following prerequisites installed:

• Active Directory
• Windows Server 2003 Service Pack 1 or Windows Server 2003 Service Pack 2
  
  For more information, click the following article number to view the article in the Microsoft Knowledge Base:
  889100 How to obtain the latest service pack for Windows Server 2003

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows Server 2003 with Service Pack 1, x86-based versions

Windows Server 2003 with Service Pack 2, x86-based versions

Windows Server 2003 with Service Pack 1, Itanium-based versions

Windows Server 2003 with Service Pack 2, Itanium-based versions

Windows Server 2003 with Service Pack 1, x64-based versions

Windows Server 2003 with Service Pack 2, x64-based versions

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Active Directory uses phantoms to provide a reference to objects even when the objects are not instantiated in the database. For more information, visit the following Microsoft Web site:Note See the "Infrastructure Master and Phantom Records" section.

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base: