Unable to add computer to domain

  • Thread starter Thread starter Randall Warkel
  • Start date Start date
R

Randall Warkel

Good afternoon,

There is a machine on our network that is behaving very
strangely. We are trying to add it to our Active
Directory domain, and receiving the error: 'The
administrative limit for this request was exceeded'

I have verified the following:

Connectivity to the local DC
Connectivity to the PDC emulator (at another site)
DNS resolution of both above mentioned DCs
WINS resolution of the PDC emulator

The only reference I can find to this error message is
something to do with adding users and groups to a domain.
It seems to imply the problem is making a domain too big.
We have less than 400 users total with about that many
machines. Has anyone seen this, and knows what I should
do?

Many thanks
 
Don't know if this is useful, but I only found this article containing 'The
administrative limit for this request was exceeded':

Knowledge Base

Windows 2000 Enterprise CAs Not Added to Certificate Publishers Group in
Windows Server 2003 DomainPSS ID Number: 300532

Article Last Modified on 6/4/2003


----------------------------------------------------------------------------
----
The information in this article applies to:


a.. Microsoft Windows Server 2003, Enterprise Edition
b.. Microsoft Windows Server 2003, 64-Bit Enterprise Edition
c.. Microsoft Windows 2000 Advanced Server
d.. Microsoft Windows 2000 Server

----------------------------------------------------------------------------
----

This article was previously published under Q300532
SYMPTOMS
After you add Enterprise Certification Authority (CA) functionality to a
Windows 2000 Server-based computer in a Windows Server 2003 domain, the
Windows 2000 CA may not be able to publish certificates to the Active
Directory. The following error entry may also appear in the Application
Event log:
Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 80
Date: date
Time: time
User: N/A
Computer: CA01
Description:

Certificate Services could not publish a Certificate for request 49546 to
the following location on server DC02.example.microsoft.com:
CN=Test,OU=Users,DC=example,DC=microsoft,DC=com. The administrative limit
for this request was exceeded. 0x80072024 (WIN32: 8228). ldap: 0xb:
00002024: SvcErr: DSID-02050ABE, problem 5008 (ADMIN_LIMIT_EXCEEDED),
data -1026


For more information, see Help and Support Center at
http://www.microsoft.com/contentredirect.asp.
CAUSE
Windows 2000 Enterprise CAs are not automatically added to the Certificate
Publishers group in a Windows Server 2003 domain.
RESOLUTION
Manually add the computer account for the Windows 2000 CA to the Certificate
Publishers group in the root domain of the forest:
1.. Click Start, point to Programs, point to Administrative Tools, and
then click Active Directory Users and Computers.
2.. Double-click the domain name in the left-side pane.
3.. Double-click the Users container.
4.. Double-click the Cert Publishers group in the right-side pane.
5.. Click the Members tab, and then click Add.
6.. Browse to the name of the computer that is hosting the CA (or type
this name), and then click OK.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products
that are listed at the beginning of this article.
Keywords: kbenv kbprb KB300532
Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000Search
kbwin2000Serv kbwin2000ServSearch kbWinAdvServSearch kbWinServ2003Ent
kbWinServ2003Ent64bit kbWinServ2003Ent64bitSearch kbWinServ2003EntSearch
kbWinServ2003Search



----------------------------------------------------------------------------
 
by default authincated users can add 10 workstations to the domain. In the
Domain policy and the domain controllor you need to add that group or user
the the add workstation to domain tab. then sync policy either reboot
server and workstation and try again. this should fix things

HTH

Paul McGuire
 
Randall,

Please read the information below. I had the same problem as you and
this helped resolve my issue. There is a second step that you need to
do in order for a non-Domain Admin to add computers to the domain.
This is delegating administration.

Users who have the Create Computer Objects permission on the Active
Directory computers container can also create computer accounts in the
domain. The distinction is that users with permissions on the
container are not restricted to the creation of only 10 computer
accounts. In addition, computer accounts that are created by means of
Add workstations to domain have Domain Administrators as the owner of
the computer account, while computer accounts that are created by
means of permissions on the computers container have the creator as
the owner of the computer account. If a user has permissions on the
container and also has the Add workstations to domain user right, the
computer is added, based on the computer container permissions rather
than on the user right.

Bob Z.

============================================================================
 
Back
Top