RE: [ActiveDir] Forestprep Failure

Wed, 19 Jul 2006 09:29:33 -0700 

Thank you to both Matheesha and Steve, this worked very well and I was able to 
locate the UID attributes and remove them, and now defunct the UID attribute.

I have the original LDF entry from the schema extensions that are included in 
the Windows 2003 schema extension LDF files, and I pulled out the UID extension 
and created a separate LDF file so I can re-import the UID attribute.

What is the proper way to "recreate" the UID attribute so I don't run into any 
conflicts with the now defunct UID attribute that already exists?

I'm thinking that I will need to rename the original UID attribute to something 
else, much like I did the roomNumber attribute that was causing issues 
previously.  And after I have renamed the UID attribute, I can then import UID 
using ldifde.

Is there anything else I may need to do?  I'll use this issue moving forward 
when dealing with defunct attributes and repairing them.

Thanks again for all your help everyone.

~Ben

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha 
Weerasinghe
Sent: Tuesday, July 18, 2006 8:41 PM
To: [email protected]
Subject: Re: [ActiveDir] Forestprep Failure

adfind -sc scontainsl:uid is the easiest. Or use dsquery or ldp with
the base set to the schema and pass the following filter.

(&(objectcategory=classschema)(maycontain=uid))

The above tries to do a search for classes where the maycontain
attribute contains uid.

HTH
M@

On 7/19/06, WATSON, BEN <[EMAIL PROTECTED]> wrote:
> Hello all,
>
> I am at the point where I now have a smooth running Windows 2003 forest and 
> domain with the one exception of the UID attribute which I bypassed thanks to 
> the hidden ADPREP switch Steve informed me of.
>
> So I am now attempting to go back and defunct this UID attribute so I can 
> repair it.  Unfortunately, I am unable to do so at this point.  When 
> attempting to defunct the object through Active Directory Schema, I receive 
> an error stating it cannot be done because, "this schema object may be in use 
> as part of the definition of another schema object".  When attempting to set 
> the isDefunct attribute within UID to TRUE via ADSIEDIT, I receive a more 
> informative error,"Schema deletion failed: attribute is used in may-contain."
>
> How can I find out which attributes have UID as part of the may-contain 
> attribute so I can defunct this attribute?  If you might have any further 
> advice for me I would greatly appreciate it.
>
> I've been doing my best to study the schema over the past few days thanks to 
> Joe's Active Directory book, however I'll readily admit that advanced 
> searching and filtering are still beyond my grasp at this point.
>
> Thanks,
> ~Ben
>
>
> ________________________________
>
> From: [EMAIL PROTECTED] on behalf of Steve Linehan
> Sent: Thu 7/6/2006 10:19 PM
> To: [email protected]; Mathieu CHATEAU
> Subject: RE: [ActiveDir] Forestprep Failure
>
>
>
> Ben,
>   These errors generally occur when a third party application has extended 
> the schema and it conflicts with the base schema we are trying to put in 
> place.  There were many conflicts found during the initial upgrades to 
> Windows Server 2003 which is why additional information was put into adprep 
> to help guide you, in the past it failed with a generic conflict error not 
> telling you what attributes it had issues with.  In your case you appear to 
> have a problem with the Attribute Syntax for UID and an OID conflict with 
> roomnumber as well as issinglevalue mismatch with roomnumber.  The OID for 
> RoomNumber that you gave below used to be in a sample application that showed 
> how to extend the schema and unfortunately many third party developers took 
> the OID value in the sample code as literal and used it when defining there 
> objects for schema extensions even though they were told to provide a unique 
> OID.  The sample code was pulled but there are still many applications out 
> there that used the literal OID value in the sample.  Since you are running 
> Windows 2000 you do not have a way to defunct these.  Do you know what 
> application is using the information in the roomnumber attribute?  I would 
> suggest in a test environment renaming the roomnumber attribute using the 
> following steps:
>
> a.         Open ldp on the Schema FSMO (make sure you have Checked the option 
> "The Schema may be modified on this Domain Controller" using the Schema 
> Manager Snap-in).
> b.         From the Connection menu option select Bind.
> c.         Type is the user name, password and domain name (use a schema 
> admin account) and keep (NTLM/Kerberos) checked. Click OK.
> d.         From the View Menu option select Tree and type the following in 
> the field (BaseDN:)cn=roomNumber,cn=schema,cn=configuration,dc=..... Click OK
> e.         On the left pane, double click CN=roomNumber...
> f.          Right click on the roomNumber attribute and select Modify
> g.         In the attribute text field add lDAPDisplayName.
> h.         In the Value field give this to OldroomNumber.
> i.          Select the replace radio button.
> j.          Click Enter to add to the Entry List
> k.          Click Run to confirm success in left pane.
> l.          Remove the attribute from the entry list.
> m.        In the attribute text field add adminDisplayName.
> n.         In the Value field type OldRoomNumber
> o.         Select the replace radio button.
> p.         Click Enter to add to the Entry List
> q.         Click Run to confirm success in left pane.
> r.          Right click on CN=roomNumber... And select rename.
> s.         Enter in the old DN field as the current DN of roomNumber.
> t.          Enter the in the new DN field OldroomNumber
> u.         Confirm Delete Old and Synchronous are selected and click Run.
> v.         Exit from ldp.
>
> This should allow the roomNumber attribute in the base Windows Server 2003 
> Schema to be imported.  You would of course need to update the third party 
> application to point to the renamed attribute or import the data in the 
> OldRoomNumber attribute to the new RoomNumber attribute and hope that none of 
> the values were multivalued and that the application was not referring to it 
> by OID.  Next you need to address the syntax of the UID attribute.  We are 
> expecting the syntax to be String (Unicode) 2.5.5.12 not String (Printable) 
> 2.5.5.5.  This problem is tougher as there is not a supported way to change 
> the syntax of an attribute and renaming it will not work since the OID is the 
> one we are expecting, yes there are ways it can be done but it would leave 
> you in an unsupportable state.  To fix this issue I would recommend running 
> ADPREP /forestprep /nosyntaxcheck, yes this is a hidden switch and should 
> only be used in cases where one cannot make changes to the conflicting 
> attribute to make it compliant with the base schema also note you must be 
> using ADPREP from SP1 or a QFE that was used to distribute adprep from SP1 to 
> use this switch.  You can then upgrade to Windows Server 2003 and after this 
> is successful then take the forest to Windows Server 2003 Forest Functional 
> Level which will allow you to defunct this attribute and fix it to match the 
> expected definition.  Note in both cases you may break the third party 
> application that defined these values that are in conflict.  I would suggest 
> testing to ensure that the third party application works after making the 
> above changes or that steps are taken to mitigate the loss of functionality 
> in the third party application.  I would also suggest opening a case with 
> Microsoft Support if further assistance or issues arise and fully testing 
> before doing any of this in production.
>
>
>
> Thanks,
>
> -Steve
>
>
>
>
>
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
> Sent: Thursday, July 06, 2006 4:34 PM
> To: [email protected]; Mathieu CHATEAU
> Subject: RE: [ActiveDir] Forestprep Failure
>
>
>
> To try and answer everyone's question all at once...
>
> At this point, we don't have Exchange running in our test environment, we do 
> have copies of the servers there, but have not re-added them to the domain to 
> bring them up.  I don't think that having the actual Exchange servers online 
> should really matter at this point since all that FORESTPREP is attempting to 
> do is extend the schema which already contain the extensions that Exchange 
> 2003 had made previously.
>
> Mark, yes, I am absolutely sure SFU had not been installed or more 
> importantly, ever extended the schema.  Just to be sure, I contacted 
> Microsoft this morning and requested the hotfix for it and when I ran it, it 
> could not find the schema extensions SFU would have made.
>
> Could you elaborate a little more on what you mean by running Schema Admins 
> empty?  At this point, I have my account added to the Schema Admins so I can 
> (hopefully) perform the FORESTPREP.
>
> ~Ben
>
>
>
> ________________________________
>
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
> Sent: Thursday, July 06, 2006 1:42 PM
> To: [email protected]; 'Mathieu CHATEAU'
> Subject: RE: [ActiveDir] Forestprep Failure
>
>
>
> Ben,
>
>
> Are you sure SFU has not been installed? Do you run Schema Admins Empty?
>
> Mark
>
> ________________________________
>
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
> Sent: 06 July 2006 21:13
> To: Mathieu CHATEAU
> Cc: [email protected]
> Subject: RE: [ActiveDir] Forestprep Failure
>
>
>
> Hello Mathieu,
>
> Yes, we run a fairly simple domain setup.  Single domain, single forest.
>
> We are running in Windows 2000 native mode for domain and forest.  Exchange 
> 2003 is also in native mode.
>
> And nice catch on SMS, I deployed it myself and should've remembered to 
> mention that.  We do have SMS 2003 in our environment with the schema 
> extended of course.
>
> ~Ben
>
>
>
> ________________________________
>
> From: Mathieu CHATEAU [mailto:[EMAIL PROTECTED]
> Sent: Thursday, July 06, 2006 11:21 AM
> To: WATSON, BEN
> Cc: [email protected]
> Subject: Re: [ActiveDir] Forestprep Failure
>
>
>
> Hello BEN,
>
>
>
>
>
> are you in Windows 2000 native mode ? the forest too ? exchange native mode ?
>
>
>
> Do you have SMS ? it extends the schema as well.
>
>
>
>
>
> Cheers,
>
> Mathieu CHATEAU
>
>
>
> Thursday, July 6, 2006, 7:43:21 PM, you wrote:
>
>
>
> >
>
> I am working to perform a domain upgrade from 2000 to 2003 R2 and I am 
> running into problems right from the start when attempting an ADPREP 
> /FORESTPREP.  The domain also has Exchange 2003 running as well.  Also, we 
> have never extended the schema with Services for Unix 2.0 which I know can 
> create some issues as well.
>
>
>
> I am currently working in a test environment in which we took a recent full 
> tape backup of one of our domain controllers, and restored it in a separate 
> network.  As this is a test environment, this restored domain controller is 
> the ONLY domain controller in existence and all FSMO roles have been 
> transferred to it.
>
>
>
> Here is the output from my ADPREP /FORESTPREP attempt.  I'm looking for 
> assistance on how to fix these schema attributes so the FORESTPREP will be 
> successful.  As I'm working in a test environment, I am afforded the ability 
> to make the necessary changes and see what it breaks to determine what made 
> these schema changes (if anything).
>
>
>
> C:\WIN2K3R2\CMPNENTS\R2\ADPREP>adprep /forestprep
>
>
>
> ADPREP WARNING:
>
>
>
> Before running adprep, all Windows 2000 domain controllers in the forest 
> should
>
> be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to 
> Windows
>
> 2000 SP2 (or later).
>
>
>
> QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent 
> poten
>
> tial domain controller corruption.
>
>
>
> For more information about preparing your forest and domain see KB article 
> Q3311
>
> 61 at http://support.microsoft.com <http://support.microsoft.com> .
>
>
>
> [User Action]
>
> If ALL your existing Windows 2000 domain controllers meet this requirement, 
> type
>
>  C and then press ENTER to continue. Otherwise, type any other key and press 
> ENT
>
> ER to quit.
>
>
>
> c
>
>
>
> =============================================================================
>
> "attributeSyntax" attribute value for objects defined in Windows 2000 schema 
> and
>
>  extended schema do not match.
>
>
>
> A previous schema extension has defined the attribute value as "2.5.5.5" for 
> obj
>
> ect "CN=uid,CN=Schema,CN=Configuration,DC=appsig,DC=com" differently than the 
> sc
>
> hema extension needed for Windows 2003 server .
>
> [Status/Consequence]
>
> Adprep cannot extend your existing schema
>
> [User Action]
>
> Contact the vendor of the application that previously extended the schema to 
> res
>
> olve the inconsistency. Then run adprep again.
>
>
>
> =============================================================================
>
> "attributeId" attribute value for objects defined in Windows 2000 schema and 
> ext
>
> ended schema do not match.
>
>
>
> A previous schema extension has defined the attribute value as 
> "1.2.840.113556.1
>
> .4.7000.233.28688.28684.8.192196.1165976.1266044.855334" for object 
> "CN=roomNumb
>
> er,CN=Schema,CN=Configuration,DC=appsig,DC=com" differently than the schema 
> exte
>
> nsion needed for Windows 2003 server .
>
> [Status/Consequence]
>
> Adprep cannot extend your existing schema
>
> [User Action]
>
> Contact the vendor of the application that previously extended the schema to 
> res
>
> olve the inconsistency. Then run adprep again.
>
>
>
> =============================================================================
>
> "isSingleValued" attribute value for objects defined in Windows 2000 schema 
> and
>
> extended schema do not match.
>
>
>
> A previous schema extension has defined the attribute value as "TRUE" for 
> object
>
>  "CN=roomNumber,CN=Schema,CN=Configuration,DC=appsig,DC=com" differently than 
> th
>
> e schema extension needed for Windows 2003 server .
>
> [Status/Consequence]
>
> Adprep cannot extend your existing schema
>
> [User Action]
>
> Contact the vendor of the application that previously extended the schema to 
> res
>
> olve the inconsistency. Then run adprep again.
>
>
>
>
>
>
>
>
>
> --
>
> Best regards,
>
>  Mathieu                            mailto:[EMAIL PROTECTED] <mailto:[EMAIL 
> PROTECTED]>
>
>
>
.Bövrzöv
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Reply via email to