AB#8723: Maximum Audit Queue Size--Event ID 2866

New article for [CI 8723](https://dev.azure.com/KMOps/ContentExperience/_queries/edit/8723)

Author: v-tappelgate

support/windows-server/active-directory/troubleshoot-event-2866-maximum-audit-queue-size.md

@@ -0,0 +1,213 @@
+---
+title: Troubleshoot Event ID 2866 (Maximum Number of Cached Audit Events)
+description: Describes several methods to use to fix Event ID 2866, and discusses how to identify which methods are appropriate for your situation.
+ms.date: 01/14/2026
+manager: dcscontentpm
+audience: itpro
+ms.topic: troubleshooting
+ms.reviewer: kaushika, herbertm, v-appelgatet
+ms.custom:
+- sap:active directory\user, computer, group, and object management
+- pcy:WinComm Directory Services
+appliesto:
+  - <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Supported versions of Windows Server</a>
+---
+# Troubleshoot Event ID 2866 (maximum number of cached audit events)
+
+This article describes several methods to use to fix Event ID 2866, and discusses how to identify which methods are appropriate for your situation.
+
+## Symptoms
+
+You're modifying Active Directory Domain Services (AD DS) objects. The domain controller (DC) that you're using to make the changes has audit logging enabled and configured to audit the changes that you're making. The modifications start to fail, and on the DC, the Security log records Event ID 2866. The text of the event resembles the following example:
+
+```output
+While logging audit events for the following object, the directory service reached the maximum number of audit events that could be cached in memory at any given time. As a result of reaching this limit, the operation was aborted.
+
+Maximum number of audit events that can be cached: 17000
+
+Distinguished name of object:
+
+CN=xxxxx,OU=Groups,DC=Contoso,DC=com
+
+Generally, this occurs if there are a large number of changes being performed on attributes that require auditing. An example of such an operation could be deleting the membership of a large group, where the 'member' attribute is being audited.
+
+Additional Data from the Audit Event
+Attribute name or old distinguished name:
+<Attribute name>
+
+Attribute value or new distinguished name:
+<XXXXXXXXXX>
+
+User Action 
+(1) Check that an excessive number of object creation, modification, move, rename or undelete operations are not being performed.
+(2) Check that an excessive amount of auditing is not enabled.  For example, confirm that auditing is not configured for more attributes than is necessary.
+(3) If necessary, increase the size of the audit queue by increasing the 'Maximum Audit Queue Size' registry parameter.
+```
+
+Typically, this event occurs in one of the following two scenarios.
+
+### Scenario 1
+
+You're making changes to Active Directory Domain Services (AD DS) objects. For example, you're changing the `member` attributes of multiple group objects.
+
+The change operation fails, and the Security log records Event ID 2866, which indicates that the DC ran out of audit queue space.
+
+### Scenario 2
+
+You make a bulk change to a set of objects that have an attribute that has a large number of values. You're replacing those values with a small number of values (or an empty value). The change fails, and you receive error code `0x21B1`, as shown in the following example:
+
+```ldp
+ldap_modify_s(ld, 'CN=test-many-members01,OU=TEST01,DC=contoso,DC=com',[1] attrs);
+```
+
+```output
+Error: Modify: Operations Error.< 1>
+Server error: 000021B1: SvcErr: DSID-0315155D, problem 5005 (UNABLE_TO_PROCEED), data 0
+
+Error 0x21B1 A required audit event could not be generated for the operation.
+```
+
+The application you're using might report this error as well. The Security log records an event that documents the change for one object, as shown in the following example:
+
+```output
+Log Name: Security
+Source: Microsoft-Windows-Security-Auditing
+Event ID: 4662
+Task Category: Directory Service Access
+Level: Information
+Keywords: Audit Success
+Description:
+An operation was performed on an object.
+
+Subject:
+Security ID:      
+S-1-5-21-3905871866-2182712795-2692410964-142473
+Account Name:      <User>
+Account Domain:    CONTOSO
+Logon ID:          0x17F8710266
+
+Object:
+Object Server:     DS
+Object Type:       %{bf967a9c-0de6-11d0-a285-00aa003049e2}
+Object Name:       %{<guid>}
+HandleID:          0x0
+
+Operation:
+Operation Type:    Object Access
+Accesses:          Write Property
+Access Mask:       0x20
+    
+Properties:        %%7685
+                  {bc0ac240-79a9-11d0-9020-00c04fc2d4cf}
+                  {bf9679c0-0de6-11d0-a285-00aa003049e2}
+                  {bf967a9c-0de6-11d0-a285-00aa003049e2}
+```
+
+A few seconds after the Security log records the preceding event, it records Event ID 2866. Event ID 2866 references the same object as the change event.
+
+> [!NOTE]  
+> In this example, the GUID `bc0ac240-79a9-11d0-9020-00c04fc2d4cf` represents the `member` attribute schema that is being modified, not the object itself.
+
+## Cause
+
+The audit events contain information about security-related events that occur on the domain controller, such as user sign-in attempts, changes to security policies, and changes to particular objects such as groups. When AD DS generates an audit event, the Local Security Authority (LSA) has to write *and* flush the event to the Security log file on the disk. The transaction audit queue is a memory space that buffers audit events until the LSA processes them. After the LSA finishes logging an event, it purges the event from the transaction audit queue.
+
+Under heavy load (for example, during bulk operations), it's possible to generate multiple audit events while still writing the first one to the disk. When the number of audit events reaches the maximum for the queue, operational threads start pausing until their audit event can be inserted into the queue. AD DS logs Event ID 2866 at this point.
+
+### Cause 1: A single transaction generates too many audit events
+
+When the DC's auditing level is set to log an audit event for each successful change, AD DS generates such events for each attribute change. When you change a linked attribute, such as `member`, the change propagates to the other objects that have related attributes. For example, suppose you modify a group object by using commands that resemble the following,
+
+```ldifde
+changetype: modify
+replace: member
+member:
+```
+
+These commands remove all of the current values of `member`. Each of those values identifies another object (a group member), and each of those objects has a `memberof` attribute that AD DS automatically maintains. The transaction (remove all group members) generates an audit event for the change to the group object, *plus* audit events for the changes to the member objects. These audit events can accumulate quickly in the transaction audit queue, because the LSA only starts writing events when the transaction is completed successfully.
+
+The default limit on the number of these audit events that the transaction audit queue can hold is 17,000. If a single transaction exceeds that limit, the transaction returns error code `0x21B1` and rolls the changes back. The Security log records Event ID 2866. The application that started the transaction receives the error. However, depending on the exact commands that the transaction used, the application might not receive information about how many changes the transaction generated.
+
+> [!NOTE]  
+> The recommended maximum number of operations per LDAP transaction is 5,000. Using more than 5,000 operations per transaction risks operational limits (such as those described in this article). Early versions of Windows Server had recommended limits of 5,000 members per group. Although that limit was removed for Windows Server 2003, the recommended limit on the number of operations per LDAP transactions remains. For more information, see the following sections of "Active Directory Maximum Limits - Scalability":
+>
+> - [Maximum Number of Accounts per LDAP Transaction](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc756101(v=ws.10)#maximum-number-of-accounts-per-ldap-transaction)
+> - [Recommended Maximum Number of Users in a Group](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc756101(v=ws.10)#recommended-maximum-number-of-users-in-a-group)
+
+## Cause 2: The rate at which audit events accumulate is greater than the system can process
+
+Audit events are being generated at a rate that's consistently higher than the rate at which the DC can write them to the log file and purge them from the queue. The queue eventually reaches its maximum size.
+
+The rate at which your system generates audit events depends on factors that include the following points:
+
+- How many event sources that you've configured for auditing
+- The type of auditing (such as success auditing, failure auditing, or successful read auditing). For example, all the following categories of operations can generate failure or success auditing:
+
+  - [File system auditing](/windows-hardware/drivers/ifs/auditing) (this category can also generate successful read auditing)
+  - Directory Service auditing (this category can also generate successful read auditing)
+  - [Windows Filtering Platform auditing](/windows/win32/fwp/auditing-and-logging)
+  - Process detailed activity auditing
+
+  > [!NOTE]  
+  > Success auditing is typically very verbose.
+
+## Resolution
+
+The specific methods that you use to resolve this issue depend on the cause:
+
+- A single transaction generates too many audit events
+  1. Consider [reducing the number of operations per transaction](#method-1-reduce-the-number-of-operations-per-transaction).
+  1. [Reduce the volume of audit events](#method-2-reduce-the-volume-of-audit-events) for the affected operations or objects.
+  1. If the previous steps aren't practical or effective, [increase the capacity of the transaction audit queue](#method-3-increase-the-capacity-of-the-transaction-audit-queue).
+
+- The rate at which audit events accumulate is greater than the system can process
+  1. [Reduce the volume of audit events](#method-2-reduce-the-volume-of-audit-events).
+  1. If step 1 doesn't resolve the issue, consider [increasing the capacity of the transaction audit queue](#method-3-increase-the-capacity-of-the-transaction-audit-queue).
+
+### Method 1: Reduce the number of operations per transaction
+
+If you can change the way that your client application makes requests, or the way that you manage multi-valued and linked attributes, this method might be practical. Modify your client application (or the way you manage attributes) to reduce the maximum number of operations in a single transaction.
+
+### Method 2: Reduce the volume of audit events
+
+To reduce the overall rate at which your system generates audit events, review what objects and operations generate audit events. Consider whether you could reduce the level of auditing or audit fewer types of objects. For information about changing auditing settings for specific objects and operations, see the following articles:
+
+- [Audit Generation](/windows/win32/secauthz/audit-generation)
+- [Audit Filtering Platform Connection](/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-filtering-platform-connection)
+
+For information about auditing policies and recommended settings, see the [References](#references) section of this article.
+
+### Method 3: Increase the capacity of the transaction audit queue
+
+[!INCLUDE [Registry important alert](../../../includes/registry-important-alert.md)]
+
+Before you change the queue capacity, consider how the change might affect your system's performance. This registry entry has no upper limit beyond the unsigned 32-bit value upper limit. However, the default value is the recommended value. Increasing the value increases the load on the DC, and can degrade DC performance in the following ways:
+
+- The queue uses more memory.
+- The Security log might use more disk space.
+- Audit events take longer to process.
+
+> [!NOTE]
+> If your issue is a high volume of audit events (as opposed to the number of audit events per transaction), these performance effects limit the usefulness of an increased queue capacity. Although the increased capacity gives you more room to buffer bursts of events, it doesn't change the rate at which the DC can manage them.
+
+To increase the capacity of the transaction audit queue, follow these steps:
+
+1. On the DC, in Registry Editor, go to the `HKLM\System\CurrentControlSet\services\NTDS\Parameters` subkey. 
+1. Use the following information to create a new entry under this subkey:
+
+   - Value: `Maximum Audit Queue Size`
+   - Type: `REG_DWORD`
+   - Data: An integer between 17,000 and 4,294,967,295 (omit commas from the data). The default is `17000`, and the minimum is `100`.
+
+     > [!NOTE]  
+     > The value measures the number of audit events that the queue can cache. It doesn't measure memory usage. If your issue is the number of audit events per transaction, make sure that the number you use is large enough to handle that number of events (for example, use a number that's larger than the number of members of the largest group).
+
+1. Restart the DC.
+
+## References
+
+- [Command line process auditing](/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing)
+- [Advanced security auditing FAQ](/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/advanced-security-auditing-faq)
+- [Plan and deploy advanced security audit policies](/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies)
+- [Advanced Audit Policy Configuration](/windows-server/identity/ad-ds/plan/security-best-practices/advanced-audit-policy-configuration)
+- [Active Directory Maximum Limits - Scalability](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc756101(v=ws.10))