RE: [ActiveDir] Forestprep Failure

[Steve Linehan]

Also note you could use the schema documentation tool found here: http://msdn.microsoft.com/library/default.asp?url=""> if you feel that you may have a schema extension referring to this attribute as well.  Simply look at the containedIn field for UID. Thanks, -Steve   From: Steve Linehan Sent: Tuesday, July 18, 2006 10:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forestprep Failure   Unless something else has extended the schema you should be able to look at the definition in MSDN and find the classes it is used in: http://msdn.microsoft.com/library/default.asp?url=""> in your case you only care about the 2003 classes since that is the version of the schema that you are running.  Remember to put these back once you are finished and of course as always test your procedure in a test environment to ensure success in production. Thanks, -Steve   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, July 18, 2006 7:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forestprep Failure   Hello all,   I am at the point where I now have a smooth running Windows 2003 forest and domain with the one exception of the UID attribute which I bypassed thanks to the hidden ADPREP switch Steve informed me of.   So I am now attempting to go back and defunct this UID attribute so I can repair it.  Unfortunately, I am unable to do so at this point.  When attempting to defunct the object through Active Directory Schema, I receive an error stating it cannot be done because, "this schema object may be in use as part of the definition of another schema object".  When attempting to set the isDefunct attribute within UID to TRUE via ADSIEDIT, I receive a more informative error,"Schema deletion failed: attribute is used in may-contain."   How can I find out which attributes have UID as part of the may-contain attribute so I can defunct this attribute?  If you might have any further advice for me I would greatly appreciate it.   I've been doing my best to study the schema over the past few days thanks to Joe's Active Directory book, however I'll readily admit that advanced searching and filtering are still beyond my grasp at this point.   Thanks, ~Ben   From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Thu 7/6/2006 10:19 PM To: ActiveDir@mail.activedir.org; Mathieu CHATEAU Subject: RE: [ActiveDir] Forestprep Failure Ben,   These errors generally occur when a third party application has extended the schema and it conflicts with the base schema we are trying to put in place.  There were many conflicts found during the initial upgrades to Windows Server 2003 which is why additional information was put into adprep to help guide you, in the past it failed with a generic conflict error not telling you what attributes it had issues with.  In your case you appear to have a problem with the Attribute Syntax for UID and an OID conflict with roomnumber as well as issinglevalue mismatch with roomnumber.  The OID for RoomNumber that you gave below used to be in a sample application that showed how to extend the schema and unfortunately many third party developers took the OID value in the sample code as literal and used it when defining there objects for schema extensions even though they were told to provide a unique OID.  The sample code was pulled but there are still many applications out there that used the literal OID value in the sample.  Since you are running Windows 2000 you do not have a way to defunct these.  Do you know what application is using the information in the roomnumber attribute?  I would suggest in a test environment renaming the roomnumber attribute using the following steps: a.         Open ldp on the Schema FSMO (make sure you have Checked the option "The Schema may be modified on this Domain Controller" using the Schema Manager Snap-in). b.         From the Connection menu option select Bind. c.         Type is the user name, password and domain name (use a schema admin account) and keep (NTLM/Kerberos) checked. Click OK. d.         From the View Menu option select Tree and type the following in the field (BaseDN:)cn=roomNumber,cn=schema,cn=configuration,dc=….. Click OK e.         On the left pane, double click CN=roomNumber... f.          Right click on the roomNumber attribute and select Modify g.         In the attribute text field add lDAPDisplayName. h.         In the Value field give this to OldroomNumber. i.          Select the replace radio button. j.          Click Enter to add to the Entry List k.          Click Run to confirm success in left pane. l.          Remove the attribute from the entry list. m.        In the attribute text field add adminDisplayName. n.         In the Value field type OldRoomNumber o.         Select the replace radio button. p.         Click Enter to add to the Entry List q.         Click Run to confirm success in left pane. r.          Right click on CN=roomNumber... And select rename. s.         Enter in the old DN field as the current DN of roomNumber. t.          Enter the in the new DN field OldroomNumber u.         Confirm Delete Old and Synchronous are selected and click Run. v.         Exit from ldp. This should allow the roomNumber attribute in the base Windows Server 2003 Schema to be imported.  You would of course need to update the third party application to point to the renamed attribute or import the data in the OldRoomNumber attribute to the new RoomNumber attribute and hope that none of the values were multivalued and that the application was not referring to it by OID.  Next you need to address the syntax of the UID attribute.  We are expecting the syntax to be String (Unicode) 2.5.5.12 not String (Printable) 2.5.5.5.  This problem is tougher as there is not a supported way to change the syntax of an attribute and renaming it will not work since the OID is the one we are expecting, yes there are ways it can be done but it would leave you in an unsupportable state.  To fix this issue I would recommend running ADPREP /forestprep /nosyntaxcheck, yes this is a hidden switch and should only be used in cases where one cannot make changes to the conflicting attribute to make it compliant with the base schema also note you must be using ADPREP from SP1 or a QFE that was used to distribute adprep from SP1 to use this switch.  You can then upgrade to Windows Server 2003 and after this is successful then take the forest to Windows Server 2003 Forest Functional Level which will allow you to defunct this attribute and fix it to match the expected definition.  Note in both cases you may break the third party application that defined these values that are in conflict.  I would suggest testing to ensure that the third party application works after making the above changes or that steps are taken to mitigate the loss of functionality in the third party application.  I would also suggest opening a case with Microsoft Support if further assistance or issues arise and fully testing before doing any of this in production.   Thanks, -Steve     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Thursday, July 06, 2006 4:34 PM To: ActiveDir@mail.activedir.org; Mathieu CHATEAU Subject: RE: [ActiveDir] Forestprep Failure   To try and answer everyone’s question all at once… At this point, we don’t have Exchange running in our test environment, we do have copies of the servers there, but have not re-added them to the domain to bring them up.  I don’t think that having the actual Exchange servers online should really matter at this point since all that FORESTPREP is attempting to do is extend the schema which already contain the extensions that Exchange 2003 had made previously. Mark, yes, I am absolutely sure SFU had not been installed or more importantly, ever extended the schema.  Just to be sure, I contacted Microsoft this morning and requested the hotfix for it and when I ran it, it could not find the schema extensions SFU would have made. Could you elaborate a little more on what you mean by running Schema Admins empty?  At this point, I have my account added to the Schema Admins so I can (hopefully) perform the FORESTPREP. ~Ben   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, July 06, 2006 1:42 PM To: ActiveDir@mail.activedir.org; 'Mathieu CHATEAU' Subject: RE: [ActiveDir] Forestprep Failure   Ben, Are you sure SFU has not been installed? Do you run Schema Admins Empty? Mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: 06 July 2006 21:13 To: Mathieu CHATEAU Cc: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forestprep Failure   Hello Mathieu, Yes, we run a fairly simple domain setup.  Single domain, single forest. We are running in Windows 2000 native mode for domain and forest.  Exchange 2003 is also in native mode. And nice catch on SMS, I deployed it myself and should’ve remembered to mention that.  We do have SMS 2003 in our environment with the schema extended of course. ~Ben   From: Mathieu CHATEAU [mailto:[EMAIL PROTECTED] Sent: Thursday, July 06, 2006 11:21 AM To: WATSON, BEN Cc: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Forestprep Failure   Hello BEN,     are you in Windows 2000 native mode ? the forest too ? exchange native mode ?   Do you have SMS ? it extends the schema as well.     Cheers, Mathieu CHATEAU   Thursday, July 6, 2006, 7:43:21 PM, you wrote:   >  I am working to perform a domain upgrade from 2000 to 2003 R2 and I am running into problems right from the start when attempting an ADPREP /FORESTPREP.  The domain also has Exchange 2003 running as well.  Also, we have never extended the schema with Services for Unix 2.0 which I know can create some issues as well.   I am currently working in a test environment in which we took a recent full tape backup of one of our domain controllers, and restored it in a separate network.  As this is a test environment, this restored domain controller is the ONLY domain controller in existence and all FSMO roles have been transferred to it.   Here is the output from my ADPREP /FORESTPREP attempt.  I’m looking for assistance on how to fix these schema attributes so the FORESTPREP will be successful.  As I’m working in a test environment, I am afforded the ability to make the necessary changes and see what it breaks to determine what made these schema changes (if anything).   C:\WIN2K3R2\CMPNENTS\R2\ADPREP>adprep /forestprep   ADPREP WARNING:   Before running adprep, all Windows 2000 domain controllers in the forest should be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows 2000 SP2 (or later).   QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent poten tial domain controller corruption.   For more information about preparing your forest and domain see KB article Q3311 61 at http://support.microsoft.com.   [User Action] If ALL your existing Windows 2000 domain controllers meet this requirement, type  C and then press ENTER to continue. Otherwise, type any other key and press ENT ER to quit.   c   ============================================================================= "attributeSyntax" attribute value for objects defined in Windows 2000 schema and  extended schema do not match.   A previous schema extension has defined the attribute value as "2.5.5.5" for obj ect "CN=uid,CN=Schema,CN=Configuration,DC=appsig,DC=com" differently than the sc hema extension needed for Windows 2003 server . [Status/Consequence] Adprep cannot extend your existing schema [User Action] Contact the vendor of the application that previously extended the schema to res olve the inconsistency. Then run adprep again.   ============================================================================= "attributeId" attribute value for objects defined in Windows 2000 schema and ext ended schema do not match.   A previous schema extension has defined the attribute value as "1.2.840.113556.1 .4.7000.233.28688.28684.8.192196.1165976.1266044.855334" for object "CN=roomNumb er,CN=Schema,CN=Configuration,DC=appsig,DC=com" differently than the schema exte nsion needed for Windows 2003 server . [Status/Consequence] Adprep cannot extend your existing schema [User Action] Contact the vendor of the application that previously extended the schema to res olve the inconsistency. Then run adprep again.   ============================================================================= "isSingleValued" attribute value for objects defined in Windows 2000 schema and extended schema do not match.   A previous schema extension has defined the attribute value as "TRUE" for object  "CN=roomNumber,CN=Schema,CN=Configuration,DC=appsig,DC=com" differently than th e schema extension needed for Windows 2003 server . [Status/Consequence] Adprep cannot extend your existing schema [User Action] Contact the vendor of the application that previously extended the schema to res olve the inconsistency. Then run adprep again.         --  Best regards,  Mathieu                            mailto:[EMAIL PROTECTED]