Need help resolving replication errors following promotion of new DCs

Question

We recently promoted four new domain controllers built on Windows Server 2022 in our QA environment. Prior to promotion, the domain was healthy with no replication issues or other problems. Following promotion, the FSMO roles were moved to the new DCs.

Since then, two of the legacy Domain Controllers running on Server 2019 began reporting errors in replication on a pair of user objects. Directory Service event viewer logs show multiple instances of Events 1084, 1092, 1093 for the same objects. What I find confusing is that the error ("Maximum size of an object exceeded") and the event viewer logs point to a schema extension ("eduPersonAssurance") that is a simple muti-valued string with only a few values in it. Attempts to delete the offending objects or the attribute in question fail. I suspect an issue with the schema itself or with schema replication but I am not sure how to troubleshoot that. Any suggestions are appreciated.

repadmin output:

On-Premise\PUQA14R0HJ via RPC

    DSA object GUID: 3092db37-ab4c-42ae-8637-fdc446e32a37

    Last attempt @ 2026-02-11 08:46:25 failed, result 8304 (0x2070):

        The maximum size of an object has been exceeded.

    9264 consecutive failure(s).

    Last success @ 2026-02-05 12:41:43.

DsReplicaGetInfo() failed with status 8453 (0x2105):

Replication access was denied.

Event viewer details:

Active Directory Domain Services could not update the following object with attribute changes because the incoming change caused the object to exceed the maximum object record size. The incoming change to the following attribute will be reversed in an attempt to complete the update.

Object:

CN=tigertv,OU=Retiree,OU=People,DC=zeta,DC=adtest,DC=princeton,DC=edu

Object GUID:

aeaf0414-0e6e-4844-a838-f63948261ccc

Attribute:

9d82278d (eduPersonAssurance)

Answer 1

Hi Keith B. Martin,

As far as I know, the error you are encountering (“Maximum size of an object exceeded”) typically indicates that one or more attributes on the affected objects have grown beyond the supported limit in Active Directory. In your case, the eduPersonAssurance attribute appears to be the trigger.

Even though the attribute is defined as a multi-valued string with only a few values, schema mismatches or improper replication of the schema extension can cause AD to misinterpret the object size. This often happens when new DCs are introduced and FSMO roles are moved before schema replication has fully converged.

To troubleshoot, I recommend the following steps:

1. Verify schema consistency across all domain controllers using repadmin /showattr * <schemaDN> -attschema.
2. Run repadmin /showobjmeta against the problematic objects to confirm which DCs hold differing metadata.
3. Check if the schema extension for eduPersonAssurance was applied correctly on all DCs. If not, reapply or synchronize the schema update.
4. Consider moving FSMO roles temporarily back to a stable DC until replication converges.
5. If the attribute itself is corrupted, you may need to clear and regenerate it using ADSI Edit or PowerShell, but only after confirming schema consistency.

In some cases, forcing a full synchronization (repadmin /syncall /APeD) after schema correction resolves the issue. If replication access errors persist, confirm that the new DCs have proper permissions and that secure channel trust is intact.

You can try and feel free to reply if you need further information.

If you find this answer helpful, please consider clicking Accept Answer so I know your issue has been resolved.

Jason.

Answer 2

The answer ultimately came down to excessive values in a completely different attribute than the one identified in the event view entries. Once that was resolved, replication returned to normal. We found it more or less via a combination of luck and some deep institutional knowledge on the part of another member of my team.