Share via


Event ID 1980 — Application Directory Partition Default Security

Applies To: Windows Server 2008 R2

When you create a new application directory partition, a new security descriptor is calculated and assigned to the application directory partition object.

Event Details

Product: Windows Operating System
ID: 1980
Source: Microsoft-Windows-ActiveDirectory_DomainService
Version: 6.0
Symbolic Name: DIRLOG_SCHEMA_CLASS_DEFAULT_SD_MISSING
Message: The default access control list (ACL) on the following Domain-DNS object class has been previously removed.

All subsequently created domain and application directory partitions will permit insecure access.

User Action
To secure access to domain and application directory partitions created in the future, revert the default security descriptor on the Domain-DNS object class in the schema back to the default setting.

Resolve

Revert the default security descriptor on the Domain-DNS object class

Security checks on the application directory partiton are disabled because the default security descriptor on the Domain-DNS object class is empty. To resolve this issue, you must revert the default security descriptor on the object class to its default setting. Perform the following procedure on the computer that is logging the event to be resolved.

To perform this procedure, you must have membership in Domain Admins and Schema Admins, or you must have been delegated the appropriate authority.

To revert the default security descriptor on the Domain-DNS object class:

  1. Open ADSI Edit. To open ADSI Edit, click Start. In Start Search, type ADSIEdit.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Right-click ADSI Edit, and then click Connect to.
  3. In Select a well known Naming Context, click Schema. The default action of the tool is to connect to the local domain. If you want to connect to another domain or server, you can do that under Computer in the Connection Settings dialog box.
  4. Click OK.
  5. In the console tree, expand the Schema object.
  6. Click the object that starts with CN=Schema, CN=Configuration.
  7. In the middle pane, a three-column list of attribute names, classes, and distinguished names appears. In the Name column, right-click the CN=Domain-DNS class, and then click Properties.
  8. In the list of attributes that appears in the Domain-DNS Properties box, select the defaultSecurityDescriptor attribute, and then click Edit.
  9. In String Attribute Editor, insert a correctly formatted security descriptor in the Value box. For information about formatting a security descriptor, see Security Descriptor String Format (https://go.microsoft.com/fwlink/?LinkID=96260).
  10. Click OK.
  11. Close ADSI Edit.
  12. Restart the computer.

Verify

After you create an application directory partition, check Event Viewer for the following Event IDs: 1979, 1980, 1981, 1982, and 1983. If you find these events after you create an application directory partition, the attempt to create the partition failed. For more information about extending the schema properly, see Security Descriptor String Format (https://go.microsoft.com/fwlink/?LinkId=96260).

To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

To verify the creation of an application directory partition by using Event Viewer:

  1. Open Event Viewer. To open Event Viewer, click Start. In Start Search, type eventvwr.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Expand Applications and Services Logs, and then click Directory Service.
  3. Click Find, type 1979, and then click Find Now.
  4. Click Find Next to search for additional events as necessary.
  5. Repeat steps 2 through 4 to search for Event IDs 1980, 1981, 1982, and 1983.

Application Directory Partition Default Security

Active Directory