We had quite an issue with replication in our Active Director environment this past week. We suddenly were hit with tons of events in the event log with event ID 1694 where it said:
Replication Error 8203 “The attribute syntax specified to the directory service is invalid.”
This error means that there is an attribute set on an object somehwere in Active Directory is not valid. That could mean that there is a strange character somehwere, or an attribute that requires a Distinguised Name being set with a string.
To fix this problem, we pulled more data from those events. Each event tells you the attribue that is problematic. In our case, the log it was the “manager” attribute.
While the log didn’t specify a username with the issue, it did specify a GUID. we can use the following PowerShell command to find the user object.
Get-ADUser -Identity {GUID}
Once you find the user, open the user in Active Directory, and correct the attribute.
In our case, the “manager” field had a strange blank character. We simply clicked “Clear” to clear it out, and the field then said “<not set>” as it should.
Once every one of the problematic accounts were updated, replication resumed as normal.
FAQ
How do I find blank characters set in Active Directory attributes?
We ran the following PowerShell script on each of our Domain Controllers to reveal which objects had a black character in the attribute.
Get-ADObject -Server $_.Name -LDAPfilter '(manager=\20)'
You can also query all domain controllers.
