Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cannot raise Forest Functional Level - Administrative Limit Exceeded

Posted on 2013-06-05
8
Medium Priority
?
2,019 Views
Last Modified: 2013-06-15
Two years ago, we upgraded all the domain controllers in our multiple domain, multiple site Active Directory from Windows 2000 to Windows 2008.

The forest consists of a root and a child domain, spread across two sites. Each site has 2 domain controllers in each domain, and DNS is only integrated into the forest root domain.

I was able to successfully raise the Domain Functional levels of both domains to Windows 2008. However, I am unable to raise the Forest Functional Level away from Windows 2000 (to either 2003 or 2008) - every attempt gives Error "0x2024 the administrative limit for this request was exceeded"

I have attempted to run this from both the schema and the infrastructure master in the forest root (split to different domain controllers). I have tried running it with my account (member of Enterprise Admins and Schema Admins). I have tried running it with the (renamed) Administrator account. I have attempted to do it via the GUI using Active Directory Domains and Trusts, via Powershell on a Windows 2008 R2 domain controller (set-adforestmode), and I have even attempted to make the change using LDP.exe.

Every attempt, in every combination, yields the same "administrative limit exceeded" error. There are no logs that I can find (and there is no "save as" button, which some MS articles have alluded to). I've got nothing but a headache, and have been completely unable to find anything in Google.

Any help is greatly appreciated!
0
Comment
Question by:William Michaelis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 2

Author Comment

by:William Michaelis
ID: 39222975
I followed advice for manually raising the Forest Functional Level from this article:

http://technet.microsoft.com/en-us/library/dd379481(v=ws.10).aspx#BKMK_3
0
 
LVL 2

Assisted Solution

by:William Michaelis
William Michaelis earned 0 total points
ID: 39225295
I'll update again, as I think I have it solved - but haven't implemented the solution yet to confirm.

Along with not being able to raise the forest functional level, I was having issues replicating to newly built Windows 2008 R2 domain controllers. I was getting Database Out of Version Storage errors (Event 623), and some event 1479 errors called out a group with 153,125 members (I know...) as not replicating. I raised the amount of memory via the workaround in this article: http://support.microsoft.com/kb/974803, and that took care of the replication issue.

Once those errors were cleared, I started receiving event 2008 errors, source ActiveDirectory_DomainService, task category Internal Processing, that looked like these:

Internal error: The security descriptor propagation task encountered an error while processing the following object. The propagation of security descriptors may not be possible until the problem is corrected.
 
Object:
CN=Partitions,CN=Configuration,DC=XXX,DC=XXX
 
Additional Data
Error value:
-1112 []
Internal ID:
2080615

I dumped the attributes for that object to a text file, using the following command:

ldifde -f D:\Temp\Attribfile.txt -d "CN=Partitions,CN=Configuration,DC=xxx,DC=xxx"

The problem is that I have over 850 uPNSuffix attributes on that object, which, at Windows 2000 Forest Functional Level, is about 50 too many. And what other attribute is on that object? msDS-Behavior-Version - the value for Forest Functional Level. Which would explain why I get those ADMIN_LIMIT_EXCEEDED errors - I can't edit the object, because it's already causing an issue.

I'm going to move a bunch of those uPNSuffix attributes off at some point in the next day or two, and see how it treats me then.
0
 
LVL 41

Assisted Solution

by:footech
footech earned 2000 total points
ID: 39228580
Nice work in tracking this down.  I started work on a PowerShell script that would search for any objects that have attributes with greater than x number of values.  I've only just started looking into this, but so far the only way I've seen to see the number of values in an attribute is in the output from LDP.exe, and it certainly isn't practical to go clicking on each individual object to see its attributes.  Anyway, it's not done yet. :)

BTW, I don't believe that the limit has really increased with later server versions or functional levels, but I haven't looked that deep at the schema definition.
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 41

Assisted Solution

by:footech
footech earned 2000 total points
ID: 39230239
As a double-check you might try running this script to see if it reports any other objects.  It might help to narrow down any further searching.  I currently have the count filter set at 700, but you could increase to 800 or whatever for a narrower view.
Import-Module ActiveDirectory
$queryCount = 700
$ADroot = Get-ADRootDSE
$ADroot.namingContexts | ForEach `
{
    $context = $_
    Get-ADObject -Filter * -Properties * -SearchBase $_  | ForEach `
    {
        Write-Progress -Activity "Querying Naming Context" -CurrentOperation $context -Status "Working..."
        $ADOprops = $_ | gm -MemberType Property |
         Where { $_.Definition -like "Microsoft.ActiveDirectory.Management.ADPropertyValueCollection*" } | #Wanted to exclude Binary Blobs
         Select -ExpandProperty Name
        foreach ($prop in $ADOprops)
        {
            If (($_.$prop).count -gt $queryCount)
            {
                Write-Output "----------------------------------------------"
                Write-Output "AD Object ""$($_.DistinguishedName)"""
                Write-Output "has attribute ""$prop"" with a count of $($_.$prop.count)"
            }
        }
    }
}

Open in new window


BTW, I don't expect any points for this since you appear to have resolved it yourself, but I would certainly be interested to know if the above script yielded any useful info for you.  :)

EDIT:  Updated the script to query all naming contexts and added a progress indicator.
0
 
LVL 2

Author Comment

by:William Michaelis
ID: 39232390
Unfortunately, it's in my Production environment, and I'm not going to have a chance to run your script until Monday, but I will. Thanks, footech!
0
 
LVL 2

Accepted Solution

by:
William Michaelis earned 0 total points
ID: 39235582
As I suspected, it was the large number of uPNSuffixes.

I applied some simple logic and reason - if we were able to create 852 entries within that attribute before it failed, I didn't have to get it all the way under the levels recommended for a Windows 2000 forest (800) - I only had to remove 1. Once I did, I was able to successfully raise the forest functional level.

By the way, my comment about limits was from this KB article:

http://support.microsoft.com/kb/914036

Or more specifically, the table in that link.
0
 
LVL 41

Expert Comment

by:footech
ID: 39235793
Glad you got it worked out.  I have to say, I'm curious about the need for 850+ UPN suffixes.  :)
0
 
LVL 2

Author Closing Comment

by:William Michaelis
ID: 39249746
Footech's script will come in handy later, but ultimately it was my own research which answered the question.
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question