Forum Discussion

La_Voz_de_Galicia's avatar
La_Voz_de_Galicia
Copper Contributor
May 02, 2023

Problems in Dynamic DNS updates (00002002E: SvcErr: DSID-02080781 , problem 5001 (BUSY), data -1102)

Hi all

Randomly, in our AD W2K12 Server DCs, we are having a problem of not processing Dynamic DNS updates of RRs A and PTR. Tracing the network traffic, we have discovered that LDAP modify requests to the DC's local LDAP daemon/service, during the time interval in which dynamic updates are not processed, get the following error:
00002002E: SvcErr: DSID-02080781 , problem 5001 (BUSY), data -1102

The event ID 4016 appears in the event viewer with a text that refers to the DN of the RR A or PTR that cannot be written by LDAP, for example:

The DNS server timed out attempting an Active Directory service operation on DC=221.128.127,DC=10.in-addr.arpa,cn=MicrosoftDNS,cn=System,DC=corporation,DC=lavoz,DC=es. Check Active Directory to see that it is working properly.The event data contains the error.

Do you have any idea of the reason for the error and a possible solution?

Thank you so much

  • The error caught in the network trace with wireshark

    00002002E: SvcErr: DSID-02080781 , problem 5001 (BUSY), data -1102

    was only obtained minutes before the problem of not processing LDAP modify requests resolved itself.

    I wanted to make sure that same error occurred during the entire interval in which LDAP modify requests were not progressing

    I used two ways to try to confirm it:

     

    • I tried to decrypt all local GSS-API SASL encrypted/sealed LDAP PDUs. My idea was to create a kerberos keytab file with the kerberos shared secrets of all security principals of the AD domain but i´m having problems when i try to export the AD DB with esedbexport utility (https://github.com/libyal/libesedb/wiki/Building)
    • I tried to trace the LDAP modify_request  and modify_responses sent by the dns.exe process ("DNS Server" NT service) using the procedure documented here (https://learn.microsoft.com/es-es/previous-versions/windows/desktop/ldap/ldap-and-etw?redirectedfrom=MSDN). Bad news  are that the ldap_modify responses are not traced when the process that sends them is dns.exe. For example, for an ldapadmin.exe LDAP client, doing the trace with the following flags:

    D:\ldapadmin>tracelog.exe -start ldapadmin -guid #099614a5-5dd7-4788-8bc9-e29f43db28fc -f D:\ldapadmin.etl -flag 0x00000402

    both (request and response) are captured:

    ldap_modify called for connection 0x22d05f0: DN is CN=XXXX,OU=Usuarios,OU=Sabon,DC=corporacion,DC=lavoz,DC=es. Synchronous is 0x1.
    ldap_modify returned 0x0 for connection 0x22d05f0: DN was 'CN=XXXX,OU=Usuarios,OU=Sabon,DC=corporacion,DC=lavoz,DC=es'.

    but for dns.exe only the request (ldap_modify called for connection..) is captured

    Despite the fact that, due to what was explained above, I cannot confirm it 100%, I believe that the error 00002002E: SvcErr: DSID-02080781 , problem 5001 (BUSY), data -1102

    is the only one that occurs at the time of the problem

    Do you have any idea of the reason for the error and a possible solution?

    Thank you so much

     

     

Resources