0

I had 2 DC's in my domain. one of them died, and the last one has all roles, dcdiag netdiag show all checked as "good" - but i actually can't modify my "Administrator" account.

according to alot, googling, i have to reset my local machine username/password. to get some ne kerberos stuff.

as described here: https://support.microsoft.com/en-us/kb/837513

actually the netdom failed, with "Administrative limits exceeded" if i open the ads.msc, i see all my AD stuff, and can add/delete/modify users, except the "Administrator" - wich always fails also with the "Administrative limits exceeded"

i have no clue where to go from here, any help?

regards

Helmut Januschka
  • 101
  • 2
  • 1
    How about posting the exact details of what you're trying to do and the exact message you get when trying to do it. – joeqwerty Nov 17 '15 at 15:44

1 Answers1

0

k, after a few days with nearby no sleep, a ton of cofee and so on. he actuall problem was a realy simple one so i post it for reference.:

tl;dr

the AD object of the user, and the DC machine exceed and LDAP internal size limit.

so using adsiedit.exe - find the objects and remove unneded attributes - fixes it!!

1) Not able to edit Administrator-Account

  • open adsiedit or any other AD editor, and find the OU of administrator (or other account), and try to nuke some attributes, in my case i dropped a few records from userCertificate.

2) netdom resetpwd fails with "Administrative Limits Exceeded" * same as above - but find the Computer of the DC where netdom does not work.

after the netdom resetpwd, my DC successfully started and came back into a GOOD state.

Helmut Januschka
  • 101
  • 2