Event ID 1983 — Application Directory Partition Default Security
Applies To: Windows Server 2008
When you create a new application directory partition, a new security descriptor is calculated and assigned to the application directory partition object.
Event Details
Product: | Windows Operating System |
ID: | 1983 |
Source: | Microsoft-Windows-ActiveDirectory_DomainService |
Version: | 6.0 |
Symbolic Name: | DIRLOG_SCHEMA_CLASS_EDC_ACE_CREATE_FAILURE |
Message: | AD_TERM failed to create an access control entry (ACE) for the Enterprise Domain Controllers group or the Enterprise Read-only Domain Controllers group on a newly created application directory partition. Application directory partition: %3 User Action Review the access control list (ACL) on the newly created application directory partition. Ensure the Replication Get Changes All access right is assigned to both the Enterprise Domain Controllers group and the Enterprise Read-only Domain Controllers group, and remove the right from the domain Domain Controllers group. |
Resolve
Ensure that the ACL on the application directory partition is configured properly
To resolve this issue, ensure that the access control list (ACL) has the appropriate access control entries (ACEs) on the application directory partition that is referred to in the Event Viewer event text. Perform the following procedure on a domain member computer that has domain administrative tools installed.
To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.
To ensure that the ACL on the application directory partition is correct:
- Open ADSI Edit. To open ADSI Edit, click Start. In Start Search, type ADSIEdit.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- Right-click ADSI Edit, and then click Connect to.
- In Connection Point, click Select or type a Distinguished Name or Naming Context. Type a properly formatted Lightweight Directory Access Protocol (LDAP) path to the application directory partition that is referred to in the event text, for example, dc=App,dc=contoso,dc=com.
- If you are not already connected to the server and domain that you want to manage, type the appropriate domain and server names under Computer.
- Click OK.
- In the console tree, expand the Default naming context object to which you connected in the previous steps.
- Right-click the application directory partition that is identified in the event text, and then click Properties.
- Click Security.
- In Group or user names, select the ENTERPRISE DOMAIN CONTROLLERS group, and ensure that the Allow check box is selected for the following permission entries: Replicating Directory Changes, Replicating Directory Changes All, Replicating Directory Changes In, and Replication synchronization.
- In Group or user names, select the Enterprise Read-only Domain Controllers group, and ensure that the Allow check box is selected for the permission entry Replicating directory changes.
- If the Domain Controllers group appears in Group or user names, select it, and ensure that the Allow check box is cleared (not selected) for the permission entry Replicating directory changes.
- Click OK.
- Close ADSI Edit.
Note: In ADSI Edit, the permission "Replicating Directory Changes All"** **may be missing the final letter in the word "All." The permission Replicating Directory Changes In, should be Replicating Directory Changes In Filtered Set, as it is shown correctly in other interfaces.
Verify
After you create an application directory partition, check Event Viewer for the following Event IDs: 1979, 1980, 1981, 1982, and 1983. If you find these events after you create an application directory partition, the attempt to create the partition failed. For more information about extending the schema properly, see Security Descriptor String Format (https://go.microsoft.com/fwlink/?LinkId=96260).
To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.
To verify the creation of an application directory partition by using Event Viewer:
- Open Event Viewer. To open Event Viewer, click Start. In Start Search, type eventvwr.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- Expand Applications and Services Logs, and then click Directory Service.
- Click Find, type 1979, and then click Find Now.
- Click Find Next to search for additional events as necessary.
- Repeat steps 2 through 4 to search for Event IDs 1980, 1981, 1982, and 1983.