Solved

Cannot raise Forest Functional Level - Administrative Limit Exceeded

Posted on 2013-06-05
8
1,975 Views
Last Modified: 2013-06-15
Two years ago, we upgraded all the domain controllers in our multiple domain, multiple site Active Directory from Windows 2000 to Windows 2008.

The forest consists of a root and a child domain, spread across two sites. Each site has 2 domain controllers in each domain, and DNS is only integrated into the forest root domain.

I was able to successfully raise the Domain Functional levels of both domains to Windows 2008. However, I am unable to raise the Forest Functional Level away from Windows 2000 (to either 2003 or 2008) - every attempt gives Error "0x2024 the administrative limit for this request was exceeded"

I have attempted to run this from both the schema and the infrastructure master in the forest root (split to different domain controllers). I have tried running it with my account (member of Enterprise Admins and Schema Admins). I have tried running it with the (renamed) Administrator account. I have attempted to do it via the GUI using Active Directory Domains and Trusts, via Powershell on a Windows 2008 R2 domain controller (set-adforestmode), and I have even attempted to make the change using LDP.exe.

Every attempt, in every combination, yields the same "administrative limit exceeded" error. There are no logs that I can find (and there is no "save as" button, which some MS articles have alluded to). I've got nothing but a headache, and have been completely unable to find anything in Google.

Any help is greatly appreciated!
0
Comment
Question by:William Michaelis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 2

Author Comment

by:William Michaelis
ID: 39222975
I followed advice for manually raising the Forest Functional Level from this article:

http://technet.microsoft.com/en-us/library/dd379481(v=ws.10).aspx#BKMK_3
0
 
LVL 2

Assisted Solution

by:William Michaelis
William Michaelis earned 0 total points
ID: 39225295
I'll update again, as I think I have it solved - but haven't implemented the solution yet to confirm.

Along with not being able to raise the forest functional level, I was having issues replicating to newly built Windows 2008 R2 domain controllers. I was getting Database Out of Version Storage errors (Event 623), and some event 1479 errors called out a group with 153,125 members (I know...) as not replicating. I raised the amount of memory via the workaround in this article: http://support.microsoft.com/kb/974803, and that took care of the replication issue.

Once those errors were cleared, I started receiving event 2008 errors, source ActiveDirectory_DomainService, task category Internal Processing, that looked like these:

Internal error: The security descriptor propagation task encountered an error while processing the following object. The propagation of security descriptors may not be possible until the problem is corrected.
 
Object:
CN=Partitions,CN=Configuration,DC=XXX,DC=XXX
 
Additional Data
Error value:
-1112 []
Internal ID:
2080615

I dumped the attributes for that object to a text file, using the following command:

ldifde -f D:\Temp\Attribfile.txt -d "CN=Partitions,CN=Configuration,DC=xxx,DC=xxx"

The problem is that I have over 850 uPNSuffix attributes on that object, which, at Windows 2000 Forest Functional Level, is about 50 too many. And what other attribute is on that object? msDS-Behavior-Version - the value for Forest Functional Level. Which would explain why I get those ADMIN_LIMIT_EXCEEDED errors - I can't edit the object, because it's already causing an issue.

I'm going to move a bunch of those uPNSuffix attributes off at some point in the next day or two, and see how it treats me then.
0
 
LVL 40

Assisted Solution

by:footech
footech earned 500 total points
ID: 39228580
Nice work in tracking this down.  I started work on a PowerShell script that would search for any objects that have attributes with greater than x number of values.  I've only just started looking into this, but so far the only way I've seen to see the number of values in an attribute is in the output from LDP.exe, and it certainly isn't practical to go clicking on each individual object to see its attributes.  Anyway, it's not done yet. :)

BTW, I don't believe that the limit has really increased with later server versions or functional levels, but I haven't looked that deep at the schema definition.
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 40

Assisted Solution

by:footech
footech earned 500 total points
ID: 39230239
As a double-check you might try running this script to see if it reports any other objects.  It might help to narrow down any further searching.  I currently have the count filter set at 700, but you could increase to 800 or whatever for a narrower view.
Import-Module ActiveDirectory
$queryCount = 700
$ADroot = Get-ADRootDSE
$ADroot.namingContexts | ForEach `
{
    $context = $_
    Get-ADObject -Filter * -Properties * -SearchBase $_  | ForEach `
    {
        Write-Progress -Activity "Querying Naming Context" -CurrentOperation $context -Status "Working..."
        $ADOprops = $_ | gm -MemberType Property |
         Where { $_.Definition -like "Microsoft.ActiveDirectory.Management.ADPropertyValueCollection*" } | #Wanted to exclude Binary Blobs
         Select -ExpandProperty Name
        foreach ($prop in $ADOprops)
        {
            If (($_.$prop).count -gt $queryCount)
            {
                Write-Output "----------------------------------------------"
                Write-Output "AD Object ""$($_.DistinguishedName)"""
                Write-Output "has attribute ""$prop"" with a count of $($_.$prop.count)"
            }
        }
    }
}

Open in new window


BTW, I don't expect any points for this since you appear to have resolved it yourself, but I would certainly be interested to know if the above script yielded any useful info for you.  :)

EDIT:  Updated the script to query all naming contexts and added a progress indicator.
0
 
LVL 2

Author Comment

by:William Michaelis
ID: 39232390
Unfortunately, it's in my Production environment, and I'm not going to have a chance to run your script until Monday, but I will. Thanks, footech!
0
 
LVL 2

Accepted Solution

by:
William Michaelis earned 0 total points
ID: 39235582
As I suspected, it was the large number of uPNSuffixes.

I applied some simple logic and reason - if we were able to create 852 entries within that attribute before it failed, I didn't have to get it all the way under the levels recommended for a Windows 2000 forest (800) - I only had to remove 1. Once I did, I was able to successfully raise the forest functional level.

By the way, my comment about limits was from this KB article:

http://support.microsoft.com/kb/914036

Or more specifically, the table in that link.
0
 
LVL 40

Expert Comment

by:footech
ID: 39235793
Glad you got it worked out.  I have to say, I'm curious about the need for 850+ UPN suffixes.  :)
0
 
LVL 2

Author Closing Comment

by:William Michaelis
ID: 39249746
Footech's script will come in handy later, but ultimately it was my own research which answered the question.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question