RE: [ActiveDir] Forestprep Failure

[WATSON, BEN]

Title: Re: [ActiveDir] Forestprep Failure

Outstanding response Steve!  That was far more than I could have ever expected.  I "almost" wish I had not taken a vacation day tomorrow just to see if your instructions will work!  I'll certainly work on this Monday morning and let you know if I was successful.  I don't think I'll work with Microsoft Support on this issue as I called them last week to see if they could assist me, and after spending 6 hours on the phone, I was left with a completely broken (test) domain and was told that I'd have to rebuild.  Wonderful!  *sarcasm*

 

Mark, ah good point, and yes, we always run with the schema admins membership empty.

 

Thanks again guys,

~Ben

---

From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Thu 7/6/2006 10:32 PM
To: ActiveDir.org
Subject: Re: [ActiveDir] Forestprep Failure

Ben,

The reason for the schema admins empty was in case as part of an install an application "just" extended the schema - you run the group empty that cannot be done.

I think Steve has your solution here.

Mark


-----Original Message-----
From: "Steve Linehan" <[EMAIL PROTECTED]>
Date: Thu, 6 Jul 2006 22:19:32
To:<ActiveDir@mail.activedir.org>, "Mathieu CHATEAU" <[EMAIL PROTECTED]>
Subject: RE: [ActiveDir] Forestprep Failure

Ben,
 Â  These errors generally occur when a third party application has extended the schema and it conflicts with the base schema we are trying to put in place.  There were many conflicts found during the initial upgrades to Windows Server 2003 which is why additional information was put into adprep to help guide you, in the past it failed with a generic conflict error not telling you what attributes it had issues with.  In your case you appear to have a problem with the Attribute Syntax for UID and an OID conflict with roomnumber as well as issinglevalue mismatch with roomnumber.  The OID for RoomNumber that you gave below used to be in a sample application that showed how to extend the schema and unfortunately many third party developers took the OID value in the sample code as literal and used it when defining there objects for schema extensions even though they were told to provide a unique OID.  The sample code was pulled but there are still many applications out there that used the literal OID value in the sample.  Since you are running Windows 2000 you do not have a way to defunct these.  Do you know what application is using the information in the roomnumber attribute?  I would suggest in a test environment renaming the roomnumber attribute using the following steps:

a.         Open ldp on the Schema FSMO (make sure you have Checked the option "The Schema may be modified on this Domain Controller" using the Schema Manager Snap-in).
 b.         >From the Connection menu option select Bind.
 c.         Type is the user name, password and domain name (use a schema admin account) and keep (NTLM/Kerberos) checked. Click OK.
 d.         From the View Menu option select Tree and type the following in the field (BaseDN:)cn=roomNumber,cn=schema,cn=configuration,dc=….. Click OK
 e.         On the left pane, double click CN=roomNumber...
 f.          Right click on the roomNumber attribute and select Modify
 g.         In the attribute text field add lDAPDisplayName.
 h.         In the Value field give this to OldroomNumber.
 i.          Select the replace radio button.
 j.          Click Enter to add to the Entry List
 k.          Click Run to confirm success in left pane.
 l.          Remove the attribute from the entry list.
 m.        In the attribute text field add adminDisplayName.
 n.         In the Value field type OldRoomNumber
 o.         Select the replace radio button.
 p.         Click Enter to add to the Entry List
 q.         Click Run to confirm success in left pane.
 r.          Right click on CN=roomNumber... And select rename.
 s.         Enter in the old DN field as the current DN of roomNumber.
 t.          Enter the in the new DN field OldroomNumber
 u.         Confirm Delete Old and Synchronous are selected and click Run.
 v.         Exit from ldp.

This should allow the roomNumber attribute in the base Windows Server 2003 Schema to be imported.  You would of course need to update the third party application to point to the renamed attribute or import the data in the OldRoomNumber attribute to the new RoomNumber attribute and hope that none of the values were multivalued and that the application was not referring to it by OID.  Next you need to address the syntax of the UID attribute.  We are expecting the syntax to be String (Unicode) 2.5.5.12 not String (Printable) 2.5.5.5.  This problem is tougher as there is not a supported way to change the syntax of an attribute and renaming it will not work since the OID is the one we are expecting, yes there are ways it can be done but it would leave you in an unsupportable state.  To fix this issue I would recommend running ADPREP /forestprep /nosyntaxcheck, yes this is a hidden switch and should only be used in cases where one cannot make changes to the conflicting attribute to make it compliant with the base schema also note you must be using ADPREP from SP1 or a QFE that was used to distribute adprep from SP1 to use this switch.  You can then upgrade to Windows Server 2003 and after this is successful then take the forest to Windows Server 2003 Forest Functional Level which will allow you to defunct this attribute and fix it to match the expected definition.  Note in both cases you may break the third party application that defined these values that are in conflict.  I would suggest testing to ensure that the third party application works after making the above changes or that steps are taken to mitigate the loss of functionality in the third party application.  I would also suggest opening a case with Microsoft Support if further assistance or issues arise and fully testing before doing any of this in production.

 

Thanks,

-Steve

 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of WATSON, BEN
 Sent: Thursday, July 06, 2006 4:34 PM
 To: ActiveDir@mail.activedir.org; Mathieu CHATEAU
 Subject: RE: [ActiveDir] Forestprep Failure

 

To try and answer everyone’s question all at once…

At this point, we don’t have Exchange running in our test environment, we do have copies of the servers there, but have not re-added them to the domain to bring them up.  I don’t think that having the actual Exchange servers online should really matter at this point since all that FORESTPREP is attempting to do is extend the schema which already contain the extensions that Exchange 2003 had made previously.

Mark, yes, I am absolutely sure SFU had not been installed or more importantly, ever extended the schema.  Just to be sure, I contacted Microsoft this morning and requested the hotfix for it and when I ran it, it could not find the schema extensions SFU would have made.

Could you elaborate a little more on what you mean by running Schema Admins empty?  At this point, I have my account added to the Schema Admins so I can (hopefully) perform the FORESTPREP.

~Ben

 



----------------

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Parris
 Sent: Thursday, July 06, 2006 1:42 PM
 To: ActiveDir@mail.activedir.org; 'Mathieu CHATEAU'
 Subject: RE: [ActiveDir] Forestprep Failure

 

Ben,


 Are you sure SFU has not been installed? Do you run Schema Admins Empty?

Mark



----------------

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of WATSON, BEN
 Sent: 06 July 2006 21:13
 To: Mathieu CHATEAU
 Cc: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Forestprep Failure

 

Hello Mathieu,

Yes, we run a fairly simple domain setup.  Single domain, single forest.

We are running in Windows 2000 native mode for domain and forest.  Exchange 2003 is also in native mode.

And nice catch on SMS, I deployed it myself and should’ve remembered to mention that.  We do have SMS 2003 in our environment with the schema extended of course.

~Ben

 



----------------

From: Mathieu CHATEAU [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, July 06, 2006 11:21 AM
 To: WATSON, BEN
 Cc: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Forestprep Failure

 

Hello BEN,

 

 

are you in Windows 2000 native mode ? the forest too ? exchange native mode ?

 

Do you have SMS ? it extends the schema as well.

 

 

Cheers,

Mathieu CHATEAU

 

Thursday, July 6, 2006, 7:43:21 PM, you wrote:

 



> 

I am working to perform a domain upgrade from 2000 to 2003 R2 and I am running into problems right from the start when attempting an ADPREP /FORESTPREP.  The domain also has Exchange 2003 running as well.  Also, we have never extended the schema with Services for Unix 2.0 which I know can create some issues as well.

 

I am currently working in a test environment in which we took a recent full tape backup of one of our domain controllers, and restored it in a separate network.  As this is a test environment, this restored domain controller is the ONLY domain controller in existence and all FSMO roles have been transferred to it.

 

Here is the output from my ADPREP /FORESTPREP attempt.  I’m looking for assistance on how to fix these schema attributes so the FORESTPREP will be successful.  As I’m working in a test environment, I am afforded the ability to make the necessary changes and see what it breaks to determine what made these schema changes (if anything).

 

C:\WIN2K3R2\CMPNENTS\R2\ADPREP>adprep /forestprep

 

ADPREP WARNING:

 

Before running adprep, all Windows 2000 domain controllers in the forest should

be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows

2000 SP2 (or later).

 

QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent poten

tial domain controller corruption.

 

For more information about preparing your forest and domain see KB article Q3311

61 at http://support.microsoft.com.

 

[User Action]

If ALL your existing Windows 2000 domain controllers meet this requirement, type

 C and then press ENTER to continue. Otherwise, type any other key and press ENT

ER to quit.

 

c

 

=============================================================================

"attributeSyntax" attribute value for objects defined in Windows 2000 schema and

 extended schema do not match.

 

A previous schema extension has defined the attribute value as "2.5.5.5" for obj

ect "CN=uid,CN=Schema,CN=Configuration,DC=appsig,DC=com" differently than the sc

hema extension needed for Windows 2003 server .

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to res

olve the inconsistency. Then run adprep again.

 

=============================================================================

"attributeId" attribute value for objects defined in Windows 2000 schema and ext

ended schema do not match.

 

A previous schema extension has defined the attribute value as "1.2.840.113556.1

.4.7000.233.28688.28684.8.192196.1165976.1266044.855334" for object "CN=roomNumb

er,CN=Schema,CN=Configuration,DC=appsig,DC=com" differently than the schema exte

nsion needed for Windows 2003 server .

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to res

olve the inconsistency. Then run adprep again.

 

=============================================================================

"isSingleValued" attribute value for objects defined in Windows 2000 schema and

extended schema do not match.

 

A previous schema extension has defined the attribute value as "TRUE" for object

 "CN=roomNumber,CN=Schema,CN=Configuration,DC=appsig,DC=com" differently than th

e schema extension needed for Windows 2003 server .

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the schema to res

olve the inconsistency. Then run adprep again.

 

 

 

 

-- 

Best regards,

 Mathieu                             <mailto:[EMAIL PROTECTED]> mailto:[EMAIL PROTECTED]
 .+Å w†ÛÿüÁ§Š÷Šºƒò²Ö§²ÑB§ÿö+v*®ŠË
§²Örz§ÿö+v*®—û­æ±«