Hello all,
I am at the point where I now have a smooth running Windows 2003 forest and
domain with the one exception of the UID attribute which I bypassed thanks to
the hidden ADPREP switch Steve informed me of.
So I am now attempting to go back and defunct this UID attribute so I can repair it.
Unfortunately, I am unable to do so at this point. When attempting to defunct the object through
Active Directory Schema, I receive an error stating it cannot be done because, "this schema
object may be in use as part of the definition of another schema object". When attempting to
set the isDefunct attribute within UID to TRUE via ADSIEDIT, I receive a more informative
error,"Schema deletion failed: attribute is used in may-contain."
How can I find out which attributes have UID as part of the may-contain
attribute so I can defunct this attribute? If you might have any further
advice for me I would greatly appreciate it.
I've been doing my best to study the schema over the past few days thanks to
Joe's Active Directory book, however I'll readily admit that advanced searching
and filtering are still beyond my grasp at this point.
Thanks,
~Ben
________________________________
From: [EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Thu 7/6/2006 10:19 PM
To: [email protected]; Mathieu CHATEAU
Subject: RE: [ActiveDir] Forestprep Failure
Ben,
These errors generally occur when a third party application has extended the
schema and it conflicts with the base schema we are trying to put in place.
There were many conflicts found during the initial upgrades to Windows Server
2003 which is why additional information was put into adprep to help guide you,
in the past it failed with a generic conflict error not telling you what
attributes it had issues with. In your case you appear to have a problem with
the Attribute Syntax for UID and an OID conflict with roomnumber as well as
issinglevalue mismatch with roomnumber. The OID for RoomNumber that you gave
below used to be in a sample application that showed how to extend the schema
and unfortunately many third party developers took the OID value in the sample
code as literal and used it when defining there objects for schema extensions
even though they were told to provide a unique OID. The sample code was pulled
but there are still many applications out there that used the literal OID value
in the sample. Since you are running Windows 2000 you do not have a way to
defunct these. Do you know what application is using the information in the
roomnumber attribute? I would suggest in a test environment renaming the
roomnumber attribute using the following steps:
a. Open ldp on the Schema FSMO (make sure you have Checked the option "The
Schema may be modified on this Domain Controller" using the Schema Manager Snap-in).
b. From the Connection menu option select Bind.
c. Type is the user name, password and domain name (use a schema admin
account) and keep (NTLM/Kerberos) checked. Click OK.
d. From the View Menu option select Tree and type the following in the
field (BaseDN:)cn=roomNumber,cn=schema,cn=configuration,dc=..... Click OK
e. On the left pane, double click CN=roomNumber...
f. Right click on the roomNumber attribute and select Modify
g. In the attribute text field add lDAPDisplayName.
h. In the Value field give this to OldroomNumber.
i. Select the replace radio button.
j. Click Enter to add to the Entry List
k. Click Run to confirm success in left pane.
l. Remove the attribute from the entry list.
m. In the attribute text field add adminDisplayName.
n. In the Value field type OldRoomNumber
o. Select the replace radio button.
p. Click Enter to add to the Entry List
q. Click Run to confirm success in left pane.
r. Right click on CN=roomNumber... And select rename.
s. Enter in the old DN field as the current DN of roomNumber.
t. Enter the in the new DN field OldroomNumber
u. Confirm Delete Old and Synchronous are selected and click Run.
v. Exit from ldp.
This should allow the roomNumber attribute in the base Windows Server 2003
Schema to be imported. You would of course need to update the third party
application to point to the renamed attribute or import the data in the
OldRoomNumber attribute to the new RoomNumber attribute and hope that none of
the values were multivalued and that the application was not referring to it by
OID. Next you need to address the syntax of the UID attribute. We are
expecting the syntax to be String (Unicode) 2.5.5.12 not String (Printable)
2.5.5.5. This problem is tougher as there is not a supported way to change the
syntax of an attribute and renaming it will not work since the OID is the one
we are expecting, yes there are ways it can be done but it would leave you in
an unsupportable state. To fix this issue I would recommend running ADPREP
/forestprep /nosyntaxcheck, yes this is a hidden switch and should only be used
in cases where one cannot make changes to the conflicting attribute to make it
compliant with the base schema also note you must be using ADPREP from SP1 or a
QFE that was used to distribute adprep from SP1 to use this switch. You can
then upgrade to Windows Server 2003 and after this is successful then take the
forest to Windows Server 2003 Forest Functional Level which will allow you to
defunct this attribute and fix it to match the expected definition. Note in
both cases you may break the third party application that defined these values
that are in conflict. I would suggest testing to ensure that the third party
application works after making the above changes or that steps are taken to
mitigate the loss of functionality in the third party application. I would
also suggest opening a case with Microsoft Support if further assistance or
issues arise and fully testing before doing any of this in production.
Thanks,
-Steve
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Thursday, July 06, 2006 4:34 PM
To: [email protected]; Mathieu CHATEAU
Subject: RE: [ActiveDir] Forestprep Failure
To try and answer everyone's question all at once...
At this point, we don't have Exchange running in our test environment, we do
have copies of the servers there, but have not re-added them to the domain to
bring them up. I don't think that having the actual Exchange servers online
should really matter at this point since all that FORESTPREP is attempting to
do is extend the schema which already contain the extensions that Exchange 2003
had made previously.
Mark, yes, I am absolutely sure SFU had not been installed or more importantly,
ever extended the schema. Just to be sure, I contacted Microsoft this morning
and requested the hotfix for it and when I ran it, it could not find the schema
extensions SFU would have made.
Could you elaborate a little more on what you mean by running Schema Admins
empty? At this point, I have my account added to the Schema Admins so I can
(hopefully) perform the FORESTPREP.
~Ben
________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Thursday, July 06, 2006 1:42 PM
To: [email protected]; 'Mathieu CHATEAU'
Subject: RE: [ActiveDir] Forestprep Failure
Ben,
Are you sure SFU has not been installed? Do you run Schema Admins Empty?
Mark
________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: 06 July 2006 21:13
To: Mathieu CHATEAU
Cc: [email protected]
Subject: RE: [ActiveDir] Forestprep Failure
Hello Mathieu,
Yes, we run a fairly simple domain setup. Single domain, single forest.
We are running in Windows 2000 native mode for domain and forest. Exchange
2003 is also in native mode.
And nice catch on SMS, I deployed it myself and should've remembered to mention
that. We do have SMS 2003 in our environment with the schema extended of
course.
~Ben
________________________________
From: Mathieu CHATEAU [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 06, 2006 11:21 AM
To: WATSON, BEN
Cc: [email protected]
Subject: Re: [ActiveDir] Forestprep Failure
Hello BEN,
are you in Windows 2000 native mode ? the forest too ? exchange native mode ?
Do you have SMS ? it extends the schema as well.
Cheers,
Mathieu CHATEAU
Thursday, July 6, 2006, 7:43:21 PM, you wrote:
>
I am working to perform a domain upgrade from 2000 to 2003 R2 and I am running
into problems right from the start when attempting an ADPREP /FORESTPREP. The
domain also has Exchange 2003 running as well. Also, we have never extended
the schema with Services for Unix 2.0 which I know can create some issues as
well.
I am currently working in a test environment in which we took a recent full
tape backup of one of our domain controllers, and restored it in a separate
network. As this is a test environment, this restored domain controller is the
ONLY domain controller in existence and all FSMO roles have been transferred to
it.
Here is the output from my ADPREP /FORESTPREP attempt. I'm looking for
assistance on how to fix these schema attributes so the FORESTPREP will be
successful. As I'm working in a test environment, I am afforded the ability to
make the necessary changes and see what it breaks to determine what made these
schema changes (if anything).
C:\WIN2K3R2\CMPNENTS\R2\ADPREP>adprep /forestprep
ADPREP WARNING:
Before running adprep, all Windows 2000 domain controllers in the forest should
be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows
2000 SP2 (or later).
QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent poten
tial domain controller corruption.
For more information about preparing your forest and domain see KB article Q3311
61 at http://support.microsoft.com <http://support.microsoft.com> .
[User Action]
If ALL your existing Windows 2000 domain controllers meet this requirement, type
C and then press ENTER to continue. Otherwise, type any other key and press ENT
ER to quit.
c
=============================================================================
"attributeSyntax" attribute value for objects defined in Windows 2000 schema and
extended schema do not match.
A previous schema extension has defined the attribute value as "2.5.5.5" for obj
ect "CN=uid,CN=Schema,CN=Configuration,DC=appsig,DC=com" differently than the sc
hema extension needed for Windows 2003 server .
[Status/Consequence]
Adprep cannot extend your existing schema
[User Action]
Contact the vendor of the application that previously extended the schema to res
olve the inconsistency. Then run adprep again.
=============================================================================
"attributeId" attribute value for objects defined in Windows 2000 schema and ext
ended schema do not match.
A previous schema extension has defined the attribute value as "1.2.840.113556.1
.4.7000.233.28688.28684.8.192196.1165976.1266044.855334" for object "CN=roomNumb
er,CN=Schema,CN=Configuration,DC=appsig,DC=com" differently than the schema exte
nsion needed for Windows 2003 server .
[Status/Consequence]
Adprep cannot extend your existing schema
[User Action]
Contact the vendor of the application that previously extended the schema to res
olve the inconsistency. Then run adprep again.
=============================================================================
"isSingleValued" attribute value for objects defined in Windows 2000 schema and
extended schema do not match.
A previous schema extension has defined the attribute value as "TRUE" for object
"CN=roomNumber,CN=Schema,CN=Configuration,DC=appsig,DC=com" differently than th
e schema extension needed for Windows 2003 server .
[Status/Consequence]
Adprep cannot extend your existing schema
[User Action]
Contact the vendor of the application that previously extended the schema to res
olve the inconsistency. Then run adprep again.
--
Best regards,
Mathieu mailto:[EMAIL PROTECTED] <mailto:[EMAIL
PROTECTED]>
