Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2059
  • Last Modified:

Cannot raise Forest Functional Level - Administrative Limit Exceeded

Two years ago, we upgraded all the domain controllers in our multiple domain, multiple site Active Directory from Windows 2000 to Windows 2008.

The forest consists of a root and a child domain, spread across two sites. Each site has 2 domain controllers in each domain, and DNS is only integrated into the forest root domain.

I was able to successfully raise the Domain Functional levels of both domains to Windows 2008. However, I am unable to raise the Forest Functional Level away from Windows 2000 (to either 2003 or 2008) - every attempt gives Error "0x2024 the administrative limit for this request was exceeded"

I have attempted to run this from both the schema and the infrastructure master in the forest root (split to different domain controllers). I have tried running it with my account (member of Enterprise Admins and Schema Admins). I have tried running it with the (renamed) Administrator account. I have attempted to do it via the GUI using Active Directory Domains and Trusts, via Powershell on a Windows 2008 R2 domain controller (set-adforestmode), and I have even attempted to make the change using LDP.exe.

Every attempt, in every combination, yields the same "administrative limit exceeded" error. There are no logs that I can find (and there is no "save as" button, which some MS articles have alluded to). I've got nothing but a headache, and have been completely unable to find anything in Google.

Any help is greatly appreciated!
0
William Michaelis
Asked:
William Michaelis
  • 5
  • 3
4 Solutions
 
William MichaelisLead Systems EngineerAuthor Commented:
I followed advice for manually raising the Forest Functional Level from this article:

http://technet.microsoft.com/en-us/library/dd379481(v=ws.10).aspx#BKMK_3
0
 
William MichaelisLead Systems EngineerAuthor Commented:
I'll update again, as I think I have it solved - but haven't implemented the solution yet to confirm.

Along with not being able to raise the forest functional level, I was having issues replicating to newly built Windows 2008 R2 domain controllers. I was getting Database Out of Version Storage errors (Event 623), and some event 1479 errors called out a group with 153,125 members (I know...) as not replicating. I raised the amount of memory via the workaround in this article: http://support.microsoft.com/kb/974803, and that took care of the replication issue.

Once those errors were cleared, I started receiving event 2008 errors, source ActiveDirectory_DomainService, task category Internal Processing, that looked like these:

Internal error: The security descriptor propagation task encountered an error while processing the following object. The propagation of security descriptors may not be possible until the problem is corrected.
 
Object:
CN=Partitions,CN=Configuration,DC=XXX,DC=XXX
 
Additional Data
Error value:
-1112 []
Internal ID:
2080615

I dumped the attributes for that object to a text file, using the following command:

ldifde -f D:\Temp\Attribfile.txt -d "CN=Partitions,CN=Configuration,DC=xxx,DC=xxx"

The problem is that I have over 850 uPNSuffix attributes on that object, which, at Windows 2000 Forest Functional Level, is about 50 too many. And what other attribute is on that object? msDS-Behavior-Version - the value for Forest Functional Level. Which would explain why I get those ADMIN_LIMIT_EXCEEDED errors - I can't edit the object, because it's already causing an issue.

I'm going to move a bunch of those uPNSuffix attributes off at some point in the next day or two, and see how it treats me then.
0
 
footechCommented:
Nice work in tracking this down.  I started work on a PowerShell script that would search for any objects that have attributes with greater than x number of values.  I've only just started looking into this, but so far the only way I've seen to see the number of values in an attribute is in the output from LDP.exe, and it certainly isn't practical to go clicking on each individual object to see its attributes.  Anyway, it's not done yet. :)

BTW, I don't believe that the limit has really increased with later server versions or functional levels, but I haven't looked that deep at the schema definition.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
footechCommented:
As a double-check you might try running this script to see if it reports any other objects.  It might help to narrow down any further searching.  I currently have the count filter set at 700, but you could increase to 800 or whatever for a narrower view.
Import-Module ActiveDirectory
$queryCount = 700
$ADroot = Get-ADRootDSE
$ADroot.namingContexts | ForEach `
{
    $context = $_
    Get-ADObject -Filter * -Properties * -SearchBase $_  | ForEach `
    {
        Write-Progress -Activity "Querying Naming Context" -CurrentOperation $context -Status "Working..."
        $ADOprops = $_ | gm -MemberType Property |
         Where { $_.Definition -like "Microsoft.ActiveDirectory.Management.ADPropertyValueCollection*" } | #Wanted to exclude Binary Blobs
         Select -ExpandProperty Name
        foreach ($prop in $ADOprops)
        {
            If (($_.$prop).count -gt $queryCount)
            {
                Write-Output "----------------------------------------------"
                Write-Output "AD Object ""$($_.DistinguishedName)"""
                Write-Output "has attribute ""$prop"" with a count of $($_.$prop.count)"
            }
        }
    }
}

Open in new window


BTW, I don't expect any points for this since you appear to have resolved it yourself, but I would certainly be interested to know if the above script yielded any useful info for you.  :)

EDIT:  Updated the script to query all naming contexts and added a progress indicator.
0
 
William MichaelisLead Systems EngineerAuthor Commented:
Unfortunately, it's in my Production environment, and I'm not going to have a chance to run your script until Monday, but I will. Thanks, footech!
0
 
William MichaelisLead Systems EngineerAuthor Commented:
As I suspected, it was the large number of uPNSuffixes.

I applied some simple logic and reason - if we were able to create 852 entries within that attribute before it failed, I didn't have to get it all the way under the levels recommended for a Windows 2000 forest (800) - I only had to remove 1. Once I did, I was able to successfully raise the forest functional level.

By the way, my comment about limits was from this KB article:

http://support.microsoft.com/kb/914036

Or more specifically, the table in that link.
0
 
footechCommented:
Glad you got it worked out.  I have to say, I'm curious about the need for 850+ UPN suffixes.  :)
0
 
William MichaelisLead Systems EngineerAuthor Commented:
Footech's script will come in handy later, but ultimately it was my own research which answered the question.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now