How to fix “Exceeded the Maximum Number of Computer Accounts Allowed to Create in this Domain”

Posted on February 21, 2019 by ncbrady

This is a quick post about a problem I saw in my lab today, basically computers were failing to join the domain, and to find out why, I manually attempted domain join using the account specified in the SCCM Task Sequence. When doing so I got the following error:

On the client computer that failed to join the Domain, you can browse the netsetup.log in C:\Windows\Debug folder, and you should see something similar to the text below.

12/20/2019 02:43:30:112 NetpMapGetLdapExtendedError: Parsed [0x216d] from server extended error string: 0000216D: SvcErr: DSID-031A1254, problem 5003 (WILL_NOT_PERFORM), data 0
12/20/2019 02:43:30:112 NetpModifyComputerObjectInDs: ldap_add_s failed: 0x35 0x216d
12/20/2019 02:43:30:112 NetpCreateComputerObjectInDs: NetpModifyComputerObjectInDs failed: 0x216d
12/20/2019 02:43:30:112 NetpProvisionComputerAccount: LDAP creation failed: 0x216d
12/20/2019 02:43:30:112 NetpProvisionComputerAccount: Retrying downlevel per options
12/20/2019 02:43:30:112 NetpManageMachineAccountWithSid: NetUserAdd on 'DC01.windowsnoob.lab.local' for 'MININT-1K4R0PO$' failed: 0x216d
12/20/2019 02:43:30:112 NetpProvisionComputerAccount: retry status of creating account: 0x216d
12/20/2019 02:43:30:112 ldap_unbind status: 0x0
12/20/2019 02:43:30:112 NetpJoinCreatePackagePart: status:0x216d.
12/20/2019 02:43:30:112 NetpJoinDomainOnDs: Function exits with status of: 0x216d
12/20/2019 02:43:30:112 NetpJoinDomainOnDs: status of disconnecting from '\\DC01.windowsnoob.lab.local': 0x0
12/20/2019 02:43:30:112 NetpJoinDomainOnDs: NetpResetIDNEncoding on '(null)': 0x0
12/20/2019 02:43:30:112 NetpDoDomainJoin: status: 0x216d

The fix involves changing a value in an Active Directory attribute.

ms-DS-MachineAccountQuota

To fix this, on the domain controller, start up adsiedit.msc and browse to the DC=…  of your domain. Select it and right click, choose Properties.

Note: If you cannot find DS-MachineAccountQuota when you select Properties, then ensure that you have connected to the Default naming context in ADSI Edit (and not some other context such as Schema, RootDSE or Configuration. To change the context, select ADSI Edit in the left pane, then click on Action, and then Connect to.

Select Default Naming Context.

Once done, you’ll be able to find the ms-DS-MachineAccountQuota attribute by selecting Properties.

Scroll down to ms-DS-MachineAccountQuota, notice that the default value is 10.

and change it to something larger, like 1000.

Job done !

 

This entry was posted in Active Directory. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.