-
タイトル
Event ID 2000 and/or 2530 in Active Roles Admin Service Event Viewer as well as Event ID 2899 in Domain Controller Directory Service Event Viewer -
説明
On the Active Roles Administration Service host, the following errors are noted in the Active Roles Admin Service Event Viewer logs:
Log Name: ARAdminService
Source: ARAdminSvc
Date: 4/2/2025 10:51:34 PM
Event ID: 2000
Task Category: Policy
Level: Error
Keywords: Classic
User: lab\svc-ar
Computer: labapp2.lab.local
Description:
Post-processing operation on object caused a policy violation.
Policy: SaveOperation
Object: CN=Group-1,OU=Dynamic Groups,DC=lab,DC=local
Details: Administrative Policy returned an error. Administration Service encountered an error when searching the container object 'DC=lab,DC=local'.AND/OR:
Log Name: ARAdminService
Source: ARAdminSvc
Date: 4/2/2025 11:23:18 PM
Event ID: 2530
Task Category: DynamicGroups
Level: Error
Keywords: Classic
User: lab\svc-ar
Computer: labapp2.lab.local
Description:
There was an error while updating Dynamic Groups.
Error: Unable to query updated members of CN=Group-1,OU=Dynamic Groups,DC=lab,DC=local. Value does not fall within the expected range.Additionally, the following Information event is encountered on the Active Directory Domain Controller that is handling the requests of this Active Roles Administration Service:
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 4/3/2025 12:05:22 AM
Event ID: 2899
Task Category: LDAP Interface
Level: Information
Keywords: Classic
User: lab\svc-ar
Computer: labdc1.lab.local
Description:
Internal event: The LDAP server page token cache size has exceeded the maximum limit. Each page token in this cache corresponds to an ongoing LDAP page search. The oldest page token will be discarded and the corresponding LDAP paged search will not be able to continue.
Number of result sets currently stored:
7
Current Result Set Size:
3c540
Maximum Result Set Size:
40000
Size of single Result Set being discarded:
42192
User Action
Increasing the Maximum Result Set Size will allow LDAP server to expand the page token cache. Please refer to this web page for more inforamtion: http://go.microsoft.com/fwlink/?LinkId=389591 -
原因
In environments with a large number of Dynamic Group (hundreds of groups) or with an environment with very large Dynamic Group memberships (hundreds of thousands of members), it is possible that too many group membership operations are simultaneously queued up and Active Directory LDAP Policy defaults are exceeded.
Event ID 2899, shown in the description above, includes the following link to a Microsoft resource:
http://go.microsoft.com/fwlink/?LinkId=389591
This resource clearly states:
<quote>
When you see events 2899 logged on your domain controllers[...]. If your DC/LDAP server runs on a machine with sufficient memory (several GBs of free memory), we recommend you set the MaxResultsetSize on the LDAP server to >=250MB. This limit is large enough to accommodate large volumes of LDAP page searches even on very large directories.
</quote>
NOTE: The default MaxResultsetSize value is 250KB.
-
対策
Increase the MaxResultSetSize in the LDAP Policy associated with the Active Directory Domain Controllers leveraged by Active Roles Dynamic Group operations when Event ID 2899 is encountered on the target Active Directory Domain Controller.
The default LDAP Policy can be changed without a Domain Controller restart. If a custom LDAP Policy is assigned, this will require a Domain Controller restart.
For more information on increasing the MaxResultSetSize or creating a custom LDAP Policy, consult Microsoft resources or contact Microsoft for assistance.
Enhancement request ID 476498 has been created to optimize Active Roles functionality as much as possible to try and avoid exceeding Active Directory defaults. That being said: eventually, if an environment gets too large and too busy, Active Directory default limitations will be exceeded and will need to be increased.
-
変更要求
476498