Solved

Cannot raise Forest Functional Level - Administrative Limit Exceeded

Posted on 2013-06-05
8
1,876 Views
Last Modified: 2013-06-15
Two years ago, we upgraded all the domain controllers in our multiple domain, multiple site Active Directory from Windows 2000 to Windows 2008.

The forest consists of a root and a child domain, spread across two sites. Each site has 2 domain controllers in each domain, and DNS is only integrated into the forest root domain.

I was able to successfully raise the Domain Functional levels of both domains to Windows 2008. However, I am unable to raise the Forest Functional Level away from Windows 2000 (to either 2003 or 2008) - every attempt gives Error "0x2024 the administrative limit for this request was exceeded"

I have attempted to run this from both the schema and the infrastructure master in the forest root (split to different domain controllers). I have tried running it with my account (member of Enterprise Admins and Schema Admins). I have tried running it with the (renamed) Administrator account. I have attempted to do it via the GUI using Active Directory Domains and Trusts, via Powershell on a Windows 2008 R2 domain controller (set-adforestmode), and I have even attempted to make the change using LDP.exe.

Every attempt, in every combination, yields the same "administrative limit exceeded" error. There are no logs that I can find (and there is no "save as" button, which some MS articles have alluded to). I've got nothing but a headache, and have been completely unable to find anything in Google.

Any help is greatly appreciated!
0
Comment
Question by:WMichaelis
  • 5
  • 3
8 Comments
 
LVL 2

Author Comment

by:WMichaelis
ID: 39222975
I followed advice for manually raising the Forest Functional Level from this article:

http://technet.microsoft.com/en-us/library/dd379481(v=ws.10).aspx#BKMK_3
0
 
LVL 2

Assisted Solution

by:WMichaelis
WMichaelis earned 0 total points
ID: 39225295
I'll update again, as I think I have it solved - but haven't implemented the solution yet to confirm.

Along with not being able to raise the forest functional level, I was having issues replicating to newly built Windows 2008 R2 domain controllers. I was getting Database Out of Version Storage errors (Event 623), and some event 1479 errors called out a group with 153,125 members (I know...) as not replicating. I raised the amount of memory via the workaround in this article: http://support.microsoft.com/kb/974803, and that took care of the replication issue.

Once those errors were cleared, I started receiving event 2008 errors, source ActiveDirectory_DomainService, task category Internal Processing, that looked like these:

Internal error: The security descriptor propagation task encountered an error while processing the following object. The propagation of security descriptors may not be possible until the problem is corrected.
 
Object:
CN=Partitions,CN=Configuration,DC=XXX,DC=XXX
 
Additional Data
Error value:
-1112 []
Internal ID:
2080615

I dumped the attributes for that object to a text file, using the following command:

ldifde -f D:\Temp\Attribfile.txt -d "CN=Partitions,CN=Configuration,DC=xxx,DC=xxx"

The problem is that I have over 850 uPNSuffix attributes on that object, which, at Windows 2000 Forest Functional Level, is about 50 too many. And what other attribute is on that object? msDS-Behavior-Version - the value for Forest Functional Level. Which would explain why I get those ADMIN_LIMIT_EXCEEDED errors - I can't edit the object, because it's already causing an issue.

I'm going to move a bunch of those uPNSuffix attributes off at some point in the next day or two, and see how it treats me then.
0
 
LVL 39

Assisted Solution

by:footech
footech earned 500 total points
ID: 39228580
Nice work in tracking this down.  I started work on a PowerShell script that would search for any objects that have attributes with greater than x number of values.  I've only just started looking into this, but so far the only way I've seen to see the number of values in an attribute is in the output from LDP.exe, and it certainly isn't practical to go clicking on each individual object to see its attributes.  Anyway, it's not done yet. :)

BTW, I don't believe that the limit has really increased with later server versions or functional levels, but I haven't looked that deep at the schema definition.
0
 
LVL 39

Assisted Solution

by:footech
footech earned 500 total points
ID: 39230239
As a double-check you might try running this script to see if it reports any other objects.  It might help to narrow down any further searching.  I currently have the count filter set at 700, but you could increase to 800 or whatever for a narrower view.
Import-Module ActiveDirectory
$queryCount = 700
$ADroot = Get-ADRootDSE
$ADroot.namingContexts | ForEach `
{
    $context = $_
    Get-ADObject -Filter * -Properties * -SearchBase $_  | ForEach `
    {
        Write-Progress -Activity "Querying Naming Context" -CurrentOperation $context -Status "Working..."
        $ADOprops = $_ | gm -MemberType Property |
         Where { $_.Definition -like "Microsoft.ActiveDirectory.Management.ADPropertyValueCollection*" } | #Wanted to exclude Binary Blobs
         Select -ExpandProperty Name
        foreach ($prop in $ADOprops)
        {
            If (($_.$prop).count -gt $queryCount)
            {
                Write-Output "----------------------------------------------"
                Write-Output "AD Object ""$($_.DistinguishedName)"""
                Write-Output "has attribute ""$prop"" with a count of $($_.$prop.count)"
            }
        }
    }
}

Open in new window


BTW, I don't expect any points for this since you appear to have resolved it yourself, but I would certainly be interested to know if the above script yielded any useful info for you.  :)

EDIT:  Updated the script to query all naming contexts and added a progress indicator.
0
 
LVL 2

Author Comment

by:WMichaelis
ID: 39232390
Unfortunately, it's in my Production environment, and I'm not going to have a chance to run your script until Monday, but I will. Thanks, footech!
0
 
LVL 2

Accepted Solution

by:
WMichaelis earned 0 total points
ID: 39235582
As I suspected, it was the large number of uPNSuffixes.

I applied some simple logic and reason - if we were able to create 852 entries within that attribute before it failed, I didn't have to get it all the way under the levels recommended for a Windows 2000 forest (800) - I only had to remove 1. Once I did, I was able to successfully raise the forest functional level.

By the way, my comment about limits was from this KB article:

http://support.microsoft.com/kb/914036

Or more specifically, the table in that link.
0
 
LVL 39

Expert Comment

by:footech
ID: 39235793
Glad you got it worked out.  I have to say, I'm curious about the need for 850+ UPN suffixes.  :)
0
 
LVL 2

Author Closing Comment

by:WMichaelis
ID: 39249746
Footech's script will come in handy later, but ultimately it was my own research which answered the question.
0

Join & Write a Comment

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now