RE: [ActiveDir] Forestprep Failure

[WATSON, BEN]

I went ahead and renamed the UID attribute to oldUID, imported the original UID 
schema extension, and then attempted the 2003 R2 extension and received an 
error relating back to the attributeID that the now defunct oldUID attribute 
had.  I was under the impression that defunct attributes are treated as though 
they did not exist.  It turned out to be necessary to change the attributeID of 
the oldUID to something different as the new UID I imported had the same 
attributeID.  As soon as I did that, the schema extension to 2003 R2 went 
perfectly.

As always, thanks for the help you guys have offered.  It's been invaluable for 
my first time domain upgrade.

~Ben



-----Original Message-----
From: WATSON, BEN 
Sent: Wednesday, July 19, 2006 9:28 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Forestprep Failure

Thank you to both Matheesha and Steve, this worked very well and I was able to 
locate the UID attributes and remove them, and now defunct the UID attribute.

I have the original LDF entry from the schema extensions that are included in 
the Windows 2003 schema extension LDF files, and I pulled out the UID extension 
and created a separate LDF file so I can re-import the UID attribute.

What is the proper way to "recreate" the UID attribute so I don't run into any 
conflicts with the now defunct UID attribute that already exists?

I'm thinking that I will need to rename the original UID attribute to something 
else, much like I did the roomNumber attribute that was causing issues 
previously.  And after I have renamed the UID attribute, I can then import UID 
using ldifde.

Is there anything else I may need to do?  I'll use this issue moving forward 
when dealing with defunct attributes and repairing them.

Thanks again for all your help everyone.

~Ben

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha 
Weerasinghe
Sent: Tuesday, July 18, 2006 8:41 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Forestprep Failure

adfind -sc scontainsl:uid is the easiest. Or use dsquery or ldp with
the base set to the schema and pass the following filter.

(&(objectcategory=classschema)(maycontain=uid))

The above tries to do a search for classes where the maycontain
attribute contains uid.

HTH
M@

On 7/19/06, WATSON, BEN <[EMAIL PROTECTED]> wrote:
> Hello all,
>
> I am at the point where I now have a smooth running Windows 2003 forest and 
> domain with the one exception of the UID attribute which I bypassed thanks to 
> the hidden ADPREP switch Steve informed me of.
>
> So I am now attempting to go back and defunct this UID attribute so I can 
> repair it.  Unfortunately, I am unable to do so at this point.  When 
> attempting to defunct the object through Active Directory Schema, I receive 
> an error stating it cannot be done because, "this schema object may be in use 
> as part of the definition of another schema object".  When attempting to set 
> the isDefunct attribute within UID to TRUE via ADSIEDIT, I receive a more 
> informative error,"Schema deletion failed: attribute is used in may-contain."
>
> How can I find out which attributes have UID as part of the may-contain 
> attribute so I can defunct this attribute?  If you might have any further 
> advice for me I would greatly appreciate it.
>
> I've been doing my best to study the schema over the past few days thanks to 
> Joe's Active Directory book, however I'll readily admit that advanced 
> searching and filtering are still beyond my grasp at this point.
>
> Thanks,
> ~Ben
>
>
> ________________________________
>
> From: [EMAIL PROTECTED] on behalf of Steve Linehan
> Sent: Thu 7/6/2006 10:19 PM
> To: ActiveDir@mail.activedir.org; Mathieu CHATEAU
> Subject: RE: [ActiveDir] Forestprep Failure
>
>
>
> Ben,
>   These errors generally occur when a third party application has extended 
> the schema and it conflicts with the base schema we are trying to put in 
> place.  There were many conflicts found during the initial upgrades to 
> Windows Server 2003 which is why additional information was put into adprep 
> to help guide you, in the past it failed with a generic conflict error not 
> telling you what attributes it had issues with.  In your case you appear to 
> have a problem with the Attribute Syntax for UID and an OID conflict with 
> roomnumber as well as issinglevalue mismatch with roomnumber.  The OID for 
> RoomNumber that you gave below used to be in a sample application that showed 
> how to extend the schema and unfortunately many third party developers took 
> the OID value in the sample code as literal and used it when defining there 
> objects for schema extensions even though they were told to provide a unique 
> OID.  The sample code was pulled but there are still many applications out 
> there that used the literal OID value in the sample.  Since you are running 
> Windows 2000 you do not have a way to defunct these.  Do you know what 
> application is using the information in the roomnumber attribute?  I would 
> suggest in a test environment renaming the roomnumber attribute using the 
> following steps:
>
> a.         Open ldp on the Schema FSMO (make sure you have Checked the option 
> "The Schema may be modified on this Domain Controller" using the Schema 
> Manager Snap-in).
> b.         From the Connection menu option select Bind.
> c.         Type is the user name, password and domain name (use a schema 
> admin account) and keep (NTLM/Kerberos) checked. Click OK.
> d.         From the View Menu option select Tree and type the following in 
> the field (BaseDN:)cn=roomNumber,cn=schema,cn=configuration,dc=..... Click OK
> e.         On the left pane, double click CN=roomNumber...
> f.          Right click on the roomNumber attribute and select Modify
> g.         In the attribute text field add lDAPDisplayName.
> h.         In the Value field give this to OldroomNumber.
> i.          Select the replace radio button.
> j.          Click Enter to add to the Entry List
> k.          Click Run to confirm success in left pane.
> l.          Remove the attribute from the entry list.
> m.        In the attribute text field add adminDisplayName.
> n.         In the Value field type OldRoomNumber
> o.         Select the replace radio button.
> p.         Click Enter to add to the Entry List
> q.         Click Run to confirm success in left pane.
> r.          Right click on CN=roomNumber... And select rename.
> s.         Enter in the old DN field as the current DN of roomNumber.
> t.          Enter the in the new DN field OldroomNumber
> u.         Confirm Delete Old and Synchronous are selected and click Run.
> v.         Exit from ldp.
>
> This should allow the roomNumber attribute in the base Windows Server 2003 
> Schema to be imported.  You would of course need to update the third party 
> application to point to the renamed attribute or import the data in the 
> OldRoomNumber attribute to the new RoomNumber attribute and hope that none of 
> the values were multivalued and that the application was not referring to it 
> by OID.  Next you need to address the syntax of the UID attribute.  We are 
> expecting the syntax to be String (Unicode) 2.5.5.12 not String (Printable) 
> 2.5.5.5.  This problem is tougher as there is not a supported way to change 
> the syntax of an attribute and renaming it will not work since the OID is the 
> one we are expecting, yes there are ways it can be done but it would leave 
> you in an unsupportable state.  To fix this issue I would recommend running 
> ADPREP /forestprep /nosyntaxcheck, yes this is a hidden switch and should 
> only be used in cases where one cannot make changes to the conflicting 
> attribute to make it compliant with the base schema also note you must be 
> using ADPREP from SP1 or a QFE that was used to distribute adprep from SP1 to 
> use this switch.  You can then upgrade to Windows Server 2003 and after this 
> is successful then take the forest to Windows Server 2003 Forest Functional 
> Level which will allow you to defunct this attribute and fix it to match the 
> expected definition.  Note in both cases you may break the third party 
> application that defined these values that are in conflict.  I would suggest 
> testing to ensure that the third party application works after making the 
> above changes or that steps are taken to mitigate the loss of functionality 
> in the third party application.  I would also suggest opening a case with 
> Microsoft Support if further assistance or issues arise and fully testing 
> before doing any of this in production.
>
>
>
> Thanks,
>
> -Steve
>
>
>
>
>
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
> Sent: Thursday, July 06, 2006 4:34 PM
> To: ActiveDir@mail.activedir.org; Mathieu CHATEAU
> Subject: RE: [ActiveDir] Forestprep Failure
>
>
>
> To try and answer everyone's question all at once...
>
> At this point, we don't have Exchange running in our test environment, we do 
> have copies of the servers there, but have not re-added them to the domain to 
> bring them up.  I don't think that having the actual Exchange servers online 
> should really matter at this point since all that FORESTPREP is attempting to 
> do is extend the schema which already contain the extensions that Exchange 
> 2003 had made previously.
>
> Mark, yes, I am absolutely sure SFU had not been installed or more 
> importantly, ever extended the schema.  Just to be sure, I contacted 
> Microsoft this morning and requested the hotfix for it and when I ran it, it 
> could not find the schema extensions SFU would have made.
>
> Could you elaborate a little more on what you mean by running Schema Admins 
> empty?  At this point, I have my account added to the Schema Admins so I can 
> (hopefully) perform the FORESTPREP.
>
> ~Ben
>
>
>
> ________________________________
>
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
> Sent: Thursday, July 06, 2006 1:42 PM
> To: ActiveDir@mail.activedir.org; 'Mathieu CHATEAU'
> Subject: RE: [ActiveDir] Forestprep Failure
>
>
>
> Ben,
>
>
> Are you sure SFU has not been installed? Do you run Schema Admins Empty?
>
> Mark
>
> ________________________________
>
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
> Sent: 06 July 2006 21:13
> To: Mathieu CHATEAU
> Cc: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Forestprep Failure
>
>
>
> Hello Mathieu,
>
> Yes, we run a fairly simple domain setup.  Single domain, single forest.
>
> We are running in Windows 2000 native mode for domain and forest.  Exchange 
> 2003 is also in native mode.
>
> And nice catch on SMS, I deployed it myself and should've remembered to 
> mention that.  We do have SMS 2003 in our environment with the schema 
> extended of course.
>
> ~Ben
>
>
>
> ________________________________
>
> From: Mathieu CHATEAU [mailto:[EMAIL PROTECTED]
> Sent: Thursday, July 06, 2006 11:21 AM
> To: WATSON, BEN
> Cc: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Forestprep Failure
>
>
>
> Hello BEN,
>
>
>
>
>
> are you in Windows 2000 native mode ? the forest too ? exchange native mode ?
>
>
>
> Do you have SMS ? it extends the schema as well.
>
>
>
>
>
> Cheers,
>
> Mathieu CHATEAU
>
>
>
> Thursday, July 6, 2006, 7:43:21 PM, you wrote:
>
>
>
> >
>
> I am working to perform a domain upgrade from 2000 to 2003 R2 and I am 
> running into problems right from the start when attempting an ADPREP 
> /FORESTPREP.  The domain also has Exchange 2003 running as well.  Also, we 
> have never extended the schema with Services for Unix 2.0 which I know can 
> create some issues as well.
>
>
>
> I am currently working in a test environment in which we took a recent full 
> tape backup of one of our domain controllers, and restored it in a separate 
> network.  As this is a test environment, this restored domain controller is 
> the ONLY domain controller in existence and all FSMO roles have been 
> transferred to it.
>
>
>
> Here is the output from my ADPREP /FORESTPREP attempt.  I'm looking for 
> assistance on how to fix these schema attributes so the FORESTPREP will be 
> successful.  As I'm working in a test environment, I am afforded the ability 
> to make the necessary changes and see what it breaks to determine what made 
> these schema changes (if anything).
>
>
>
> C:\WIN2K3R2\CMPNENTS\R2\ADPREP>adprep /forestprep
>
>
>
> ADPREP WARNING:
>
>
>
> Before running adprep, all Windows 2000 domain controllers in the forest 
> should
>
> be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to 
> Windows
>
> 2000 SP2 (or later).
>
>
>
> QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent 
> poten
>
> tial domain controller corruption.
>
>
>
> For more information about preparing your forest and domain see KB article 
> Q3311
>
> 61 at http://support.microsoft.com <http://support.microsoft.com> .
>
>
>
> [User Action]
>
> If ALL your existing Windows 2000 domain controllers meet this requirement, 
> type
>
>  C and then press ENTER to continue. Otherwise, type any other key and press 
> ENT
>
> ER to quit.
>
>
>
> c
>
>
>
> =============================================================================
>
> "attributeSyntax" attribute value for objects defined in Windows 2000 schema 
> and
>
>  extended schema do not match.
>
>
>
> A previous schema extension has defined the attribute value as "2.5.5.5" for 
> obj
>
> ect "CN=uid,CN=Schema,CN=Configuration,DC=appsig,DC=com" differently than the 
> sc
>
> hema extension needed for Windows 2003 server .
>
> [Status/Consequence]
>
> Adprep cannot extend your existing schema
>
> [User Action]
>
> Contact the vendor of the application that previously extended the schema to 
> res
>
> olve the inconsistency. Then run adprep again.
>
>
>
> =============================================================================
>
> "attributeId" attribute value for objects defined in Windows 2000 schema and 
> ext
>
> ended schema do not match.
>
>
>
> A previous schema extension has defined the attribute value as 
> "1.2.840.113556.1
>
> .4.7000.233.28688.28684.8.192196.1165976.1266044.855334" for object 
> "CN=roomNumb
>
> er,CN=Schema,CN=Configuration,DC=appsig,DC=com" differently than the schema 
> exte
>
> nsion needed for Windows 2003 server .
>
> [Status/Consequence]
>
> Adprep cannot extend your existing schema
>
> [User Action]
>
> Contact the vendor of the application that previously extended the schema to 
> res
>
> olve the inconsistency. Then run adprep again.
>
>
>
> =============================================================================
>
> "isSingleValued" attribute value for objects defined in Windows 2000 schema 
> and
>
> extended schema do not match.
>
>
>
> A previous schema extension has defined the attribute value as "TRUE" for 
> object
>
>  "CN=roomNumber,CN=Schema,CN=Configuration,DC=appsig,DC=com" differently than 
> th
>
> e schema extension needed for Windows 2003 server .
>
> [Status/Consequence]
>
> Adprep cannot extend your existing schema
>
> [User Action]
>
> Contact the vendor of the application that previously extended the schema to 
> res
>
> olve the inconsistency. Then run adprep again.
>
>
>
>
>
>
>
>
>
> --
>
> Best regards,
>
>  Mathieu                            mailto:[EMAIL PROTECTED] <mailto:[EMAIL 
> PROTECTED]>
>
>
>
.Böv
rzöv
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx