none
Exchange 2016 CU4 won't pass the /PreapreAD RRS feed

  • Question

  • Hey,

    Even there are no new schema updates in this release, there is a requirement to run the /PrepareAD.

    In my environment it fails update some security objects.

    12/21/2016 18:32:44.0366] [2] Group CN=Compliance Management,OU=Microsoft Exchange Security Groups,DC=domain,DC=local already exists.
    [12/21/2016 18:32:44.0366] [2] Used domain controller dc1.domain.local to read object CN=Compliance Management,OU=Microsoft Exchange Security Groups,DC=domain,DC=local.
    [12/21/2016 18:32:44.0444] [2] Used domain controller dc1.domain.local to write object CN=Security Reader,OU=Microsoft Exchange Security Groups,DC=Domain,DC=local.
    [12/21/2016 18:32:44.0475] [2] [ERROR] The administrative limit for this request was exceeded.
    [12/21/2016 18:32:44.0475] [2] [ERROR] The administration limit on the server was exceeded.
    [12/21/2016 18:32:44.0507] [2] Ending processing initialize-ExchangeUniversalGroups
    [12/21/2016 18:32:44.0507] [1] The following 1 error(s) occurred during task execution:
    [12/21/2016 18:32:44.0507] [1] 0.  ErrorRecord: The administrative limit for this request was exceeded.
    [12/21/2016 18:32:44.0507] [1] 0.  ErrorRecord: Microsoft.Exchange.Data.Directory.AdminLimitExceededException: The administrative limit for this request was exceeded. ---> System.DirectoryServices.Protocols.DirectoryOperationException: The administration limit on the server was exceeded.
       at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
       at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
       at Microsoft.Exchange.Data.Directory.PooledLdapConnection.<>c__DisplayClass2.<SendRequest>b__0()
       at Microsoft.Exchange.Diagnostics.GuardedExecution.InternalExecute[T](String bucketName, Func`1 action, Action`2 loggingAction)
       at Microsoft.Exchange.Data.Directory.GuardedDirectoryExecution.Execute[T](String bucketName, Func`1 action)
       at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IADLogContext logContext)
       at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
       --- End of inner exception stack trace ---
       at Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
       at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
       at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
       at Microsoft.Exchange.Data.Directory.ADDataSession.Save(ADObject instanceToSave, IEnumerable`1 properties, Boolean bypassValidation)
       at Microsoft.Exchange.Management.Tasks.InitializeExchangeUniversalGroups.CreateWKGuid(ADContainer container, ADObjectId dn, Guid wkGuid)
       at Microsoft.Exchange.Management.Tasks.InitializeExchangeUniversalGroups.CreateGroup(ADOrganizationalUnit usgContainer, String groupName, Int32 groupId, Guid wkGuid, String groupDescription, GroupTypeFlags groupType, Boolean createAsRoleGroup)
       at Microsoft.Exchange.Management.Tasks.InitializeExchangeUniversalGroups.CreateRoleGroup(ADOrganizationalUnit usgContainer, RoleGroupDefinition roleGroup)
       at Microsoft.Exchange.Management.Tasks.InitializeExchangeUniversalGroups.CreateAndValidateRoleGroups(ADOrganizationalUnit usgContainer, RoleGroupCollection roleGroups)
       at Microsoft.Exchange.Management.Tasks.InitializeExchangeUniversalGroups.InternalProcessRecord()
       at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__c()
       at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)
    [12/21/2016 18:32:44.0507] [1] [ERROR] The following error was generated when "$error.Clear();
     initialize-ExchangeUniversalGroups -DomainController $RoleDomainController -ActiveDirectorySplitPermissions $RoleActiveDirectorySplitPermissions

    " was run: "Microsoft.Exchange.Data.Directory.AdminLimitExceededException: The administrative limit for this request was exceeded. ---> System.DirectoryServices.Protocols.DirectoryOperationException: The administration limit on the server was exceeded.
       at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
       at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
       at Microsoft.Exchange.Data.Directory.PooledLdapConnection.<>c__DisplayClass2.<SendRequest>b__0()
       at Microsoft.Exchange.Diagnostics.GuardedExecution.InternalExecute[T](String bucketName, Func`1 action, Action`2 loggingAction)
       at Microsoft.Exchange.Data.Directory.GuardedDirectoryExecution.Execute[T](String bucketName, Func`1 action)
       at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IADLogContext logContext)
       at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
       --- End of inner exception stack trace ---
       at Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
       at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
       at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
       at Microsoft.Exchange.Data.Directory.ADDataSession.Save(ADObject instanceToSave, IEnumerable`1 properties, Boolean bypassValidation)
       at Microsoft.Exchange.Management.Tasks.InitializeExchangeUniversalGroups.CreateWKGuid(ADContainer container, ADObjectId dn, Guid wkGuid)
       at Microsoft.Exchange.Management.Tasks.InitializeExchangeUniversalGroups.CreateGroup(ADOrganizationalUnit usgContainer, String groupName, Int32 groupId, Guid wkGuid, String groupDescription, GroupTypeFlags groupType, Boolean createAsRoleGroup)
       at Microsoft.Exchange.Management.Tasks.InitializeExchangeUniversalGroups.CreateRoleGroup(ADOrganizationalUnit usgContainer, RoleGroupDefinition roleGroup)
       at Microsoft.Exchange.Management.Tasks.InitializeExchangeUniversalGroups.CreateAndValidateRoleGroups(ADOrganizationalUnit usgContainer, RoleGroupCollection roleGroups)
       at Microsoft.Exchange.Management.Tasks.InitializeExchangeUniversalGroups.InternalProcessRecord()
       at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__c()
       at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
    [12/21/2016 18:32:44.0507] [1] [ERROR] The administrative limit for this request was exceeded.
    [12/21/2016 18:32:44.0507] [1] [ERROR] The administration limit on the server was exceeded.

    Any idea how to remediate this?


    Regards, Mindaugas Laucius

    Wednesday, December 21, 2016 11:50 PM

All replies

  • Hello Mindaugas,

    I believe I know of a blog that deals with this. Please read and run through the steps it recommends:

    Exchange 2013 domainprep (prepareAD) fails with Microsoft.Exchange.Data.Directory.AdminLimitExceededException [ERROR_DS_ADMIN_LIMIT_EXCEEDED]

    Usually when you're receiving the "administrative limit has been received" this means an attribute has too many entries and requires an LDAP search to see what attribute is filled up.

    Thanks!


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help.


    Chris Heilman
    Support Escalation Engineer

    Thursday, December 22, 2016 3:12 AM
  • Hi,

    Are you trying to upgrade Exchange 2016 to CU4? If yes, generally no need to run the /PrepareAD. Recently, I upgrade Exchange server 2016 CU2 to CU4 in my test environment without running /PrepareAD. So you can run setup.exe directly to upgrade Exchange Server 2016.

    And if you have any problems when using Event Tracing for LDAP, let me know the results.


    Best Regards,

    Lynn-Li
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, December 22, 2016 8:00 AM
    Moderator
  • Lynn-Li,

    I'm upgrading from CU3 to CU4. I ran setup and got the error. Then I ran setup /PrepareAD and got the same error.

    It is trying to change the following attribute:

    [12/21/2016 18:32:44.0444] [2] Used domain controller dc1.domain.local to write object CN=Security Reader,OU=Microsoft Exchange Security Groups,DC=Domain,DC=local.
    [12/21/2016 18:32:44.0475] [2] [ERROR] The administrative limit for this request was exceeded.
    [12/21/2016 18:32:44.0475] [2] [ERROR] The administration limit on the server was exceeded.


    Regards, Mindaugas Laucius

    Thursday, December 22, 2016 5:00 PM
  • Chris,

    Thanks for ideas!

    In my case the setup is trying to create Security Reader security group, but it fails.

    Not sure why..


    Regards, Mindaugas Laucius

    Thursday, December 22, 2016 5:43 PM
  • Well, if you can local this AD object in ADSIEdit?

    CN=Security Reader,OU=Microsoft Exchange Security Groups,DC=Domain,DC=local

    If yes, remove this object in ADSIEdit and re-run the Setup.exe


    Best Regards,

    Lynn-Li
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 26, 2016 10:01 AM
    Moderator
  • Lynn-Li,

    Thank you for idea. There is no "Security Reader" object in Microsoft Exchange Security Groups OU. I believe it is new RBAC role Microsoft introducing with this CU and therefore it tries to create this security group.

    I tried manually creating the group and re-sunning setup. In the logs I see that it tries to create new group anyway, with the name of CN=Security Reader1 though.

    Is there anyone else having same issue? Perhaps I have security issues on Microsoft Exchange Security Groups OU?


    Regards, Mindaugas Laucius

    Monday, December 26, 2016 2:42 PM
  • Yes, "Security Reader" object is newly add to Exchange 2016 CU4.

    And I reviewed error message and found this "initialize-ExchangeUniversalGroups -DomainController $RoleDomainController -ActiveDirectorySplitPermissions $RoleActiveDirectorySplitPermissions"

    If you configured Active Directory split permissions before? If no, in Organization Management Role group, make sure 'Security Group Creation and Membership role' is in it.


    Best Regards,

    Lynn-Li
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, December 27, 2016 4:36 AM
    Moderator
  • Lynn-Li,

    Thanks for idea!

    I checked. Organization Management role has "security group creation and membership role" in it.

    I never configured Active Directory Split permissions before.


    Regards, Mindaugas Laucius

    Tuesday, December 27, 2016 8:11 PM
  • Is there anyone else with similar problem?

    I guess I should open support ticket then?


    Regards, Mindaugas Laucius

    Tuesday, January 3, 2017 3:33 AM
  • Have you been able to resolve this issue?

    I run into the exact same problem when trying to install a new Exchange 2019 server in our existing exchange 2013 environment.

    [08.09.2019 07:37:26.0890] [2] Used domain controller dc01.xyz.local to write object CN=Security Reader,OU=Microsoft Exchange Security Groups,DC=xyz,DC=local.[08.09.2019 07:37:26.0905] [2] [ERROR] The administrative limit for this request was exceeded.[08.09.2019 07:37:26.0905] [2] [ERROR] The administration limit on the server was exceeded.[08.09.2019 07:37:26.0921] [2] Ending processing initialize-ExchangeUniversalGroups[08.09.2019 07:37:26.0921] [1] The following 1 error(s) occurred during task execution:[08.09.2019 07:37:26.0921] [1] 0.  ErrorRecord: The administrative limit for this request was exceeded.

    Friday, August 9, 2019 8:20 AM
  • Deleting values from globalAddressList (as mentioned in https://blogs.technet.microsoft.com/mahuynh/2014/10/29/exchange-2013-domainprep-preparead-fails-with-microsoft-exchange-data-directory-adminlimitexceededexception-error_ds_admin_limit_exceeded/) has resolved the issue.
    Friday, August 9, 2019 2:25 PM