ADPREP failure on Win2K server

D

Dan Hawker

Hi All,
Trying to update our Win2K domain so that we can allow a
Server 2003 machine to join and be a DC. Have run through
the usual MS guides, however it just fails. Have looked at
the adprep log, and it seems it can't update the schema
master for whatever reason. It seems to hit a problem at
the x.500 container in the LDAP stuff. It seems that is
the problem, but why??? Do I need to *repair* my AD or
similar.

We have 4 DC's here, all are SP4, all apart from this,
work fine.

Any thoughts or indeed hopefully answers gratefully
received.

I've added my adprep.log and ldif.log file below.

TIA

Dan Hawker

Here are the logs...

-----

Adprep.log


Adprep was unable to upgrade the schema on the schema
master.[Status/Consequence]The schema will not be restored
to its original state. [User Action] Check the Ldif.err
log file in the C:\WINNT\system32
\debug\adprep\logs\20040107095701 directory for detailed
information.



Adprep set the value of registry key
System\CurrentControlSet\Services\NTDS\Parameters\Schema
Update Allowed to 1



Adprep was unable to update forest-wide information.
[Status/Consequence]Adprep requires access to existing
forest-wide information from the schema master in order to
complete this operation.[User Action]Check the log file,
Adprep.log, in the C:\WINNT\system32
\debug\adprep\logs\20040107095701 directory for more
information.

-------------
ldif.log

Connecting to "CANFORD-W2K"
Logging in as current user using SSPI
Importing directory from file "C:\WINNT\system32\sch18.ldf"
Loading entries
1: CN=ms-Exch-Assistant-
Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry DN: CN=ms-Exch-Assistant-
Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry modified successfully.
2: CN=ms-Exch-
LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry DN: CN=ms-Exch-
LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry modified successfully.
3: (null)
Entry DN: (null)
Entry modified successfully.
4: CN=ms-Exch-Assistant-
Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry DN: CN=ms-Exch-Assistant-
Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry modified successfully.
5: CN=ms-Exch-
LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry DN: CN=ms-Exch-
LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry modified successfully.
6: (null)
Entry DN: (null)
Entry modified successfully.
7:
CN=uid,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=c
om
Entry DN:
CN=uid,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=c
om
Entry modified successfully.
8:
CN=audio,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry DN:
CN=audio,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry modified successfully.
9:
CN=photo,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry DN:
CN=photo,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry modified successfully.
10:
CN=jpegPhoto,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry DN:
CN=jpegPhoto,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry modified successfully.
11:
CN=secretary,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry DN:
CN=secretary,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry modified successfully.
12:
CN=userPKCS12,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:
CN=userPKCS12,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
13:
CN=carLicense,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:
CN=carLicense,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
14:
CN=labeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:
CN=labeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
15:
CN=roomNumber,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:
CN=roomNumber,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
16:
CN=uniqueMember,CN=Schema,CN=Configuration,DC=hamlet,DC=can
ford,DC=com
Entry DN:
CN=uniqueMember,CN=Schema,CN=Configuration,DC=hamlet,DC=can
ford,DC=com
Entry modified successfully.
17:
CN=departmentNumber,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry DN:
CN=departmentNumber,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry modified successfully.
18:
CN=unstructuredName,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry DN:
CN=unstructuredName,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry modified successfully.
19:
CN=preferredLanguage,CN=Schema,CN=Configuration,DC=hamlet,D
C=canford,DC=com
Entry DN:
CN=preferredLanguage,CN=Schema,CN=Configuration,DC=hamlet,D
C=canford,DC=com
Entry modified successfully.
20:
CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=hamle
t,DC=canford,DC=com
Entry DN:
CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=hamle
t,DC=canford,DC=com
Add error on line 275: Unwilling To Perform
The server side error is "Schema update failed in
recalculating validation cache."
19 entries modified successfully.
An error has occurred in the program


-----------
 
M

Matjaz Ladava [MVP]

Have you implemented any AD schema changes that could be incompatible with
Windows Server 2003 schema extensions ? Any third party software ?

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

Dan Hawker said:
Hi All,
Trying to update our Win2K domain so that we can allow a
Server 2003 machine to join and be a DC. Have run through
the usual MS guides, however it just fails. Have looked at
the adprep log, and it seems it can't update the schema
master for whatever reason. It seems to hit a problem at
the x.500 container in the LDAP stuff. It seems that is
the problem, but why??? Do I need to *repair* my AD or
similar.

We have 4 DC's here, all are SP4, all apart from this,
work fine.

Any thoughts or indeed hopefully answers gratefully
received.

I've added my adprep.log and ldif.log file below.

TIA

Dan Hawker

Here are the logs...

-----

Adprep.log


Adprep was unable to upgrade the schema on the schema
master.[Status/Consequence]The schema will not be restored
to its original state. [User Action] Check the Ldif.err
log file in the C:\WINNT\system32
\debug\adprep\logs\20040107095701 directory for detailed
information.



Adprep set the value of registry key
System\CurrentControlSet\Services\NTDS\Parameters\Schema
Update Allowed to 1



Adprep was unable to update forest-wide information.
[Status/Consequence]Adprep requires access to existing
forest-wide information from the schema master in order to
complete this operation.[User Action]Check the log file,
Adprep.log, in the C:\WINNT\system32
\debug\adprep\logs\20040107095701 directory for more
information.

-------------
ldif.log

Connecting to "CANFORD-W2K"
Logging in as current user using SSPI
Importing directory from file "C:\WINNT\system32\sch18.ldf"
Loading entries
1: CN=ms-Exch-Assistant-
Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry DN: CN=ms-Exch-Assistant-
Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry modified successfully.
2: CN=ms-Exch-
LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry DN: CN=ms-Exch-
LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry modified successfully.
3: (null)
Entry DN: (null)
Entry modified successfully.
4: CN=ms-Exch-Assistant-
Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry DN: CN=ms-Exch-Assistant-
Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry modified successfully.
5: CN=ms-Exch-
LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry DN: CN=ms-Exch-
LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry modified successfully.
6: (null)
Entry DN: (null)
Entry modified successfully.
7:
CN=uid,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=c
om
Entry DN:
CN=uid,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=c
om
Entry modified successfully.
8:
CN=audio,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry DN:
CN=audio,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry modified successfully.
9:
CN=photo,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry DN:
CN=photo,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry modified successfully.
10:
CN=jpegPhoto,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry DN:
CN=jpegPhoto,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry modified successfully.
11:
CN=secretary,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry DN:
CN=secretary,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry modified successfully.
12:
CN=userPKCS12,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:
CN=userPKCS12,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
13:
CN=carLicense,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:
CN=carLicense,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
14:
CN=labeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:
CN=labeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
15:
CN=roomNumber,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:
CN=roomNumber,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
16:
CN=uniqueMember,CN=Schema,CN=Configuration,DC=hamlet,DC=can
ford,DC=com
Entry DN:
CN=uniqueMember,CN=Schema,CN=Configuration,DC=hamlet,DC=can
ford,DC=com
Entry modified successfully.
17:
CN=departmentNumber,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry DN:
CN=departmentNumber,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry modified successfully.
18:
CN=unstructuredName,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry DN:
CN=unstructuredName,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry modified successfully.
19:
CN=preferredLanguage,CN=Schema,CN=Configuration,DC=hamlet,D
C=canford,DC=com
Entry DN:
CN=preferredLanguage,CN=Schema,CN=Configuration,DC=hamlet,D
C=canford,DC=com
Entry modified successfully.
20:
CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=hamle
t,DC=canford,DC=com
Entry DN:
CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=hamle
t,DC=canford,DC=com
Add error on line 275: Unwilling To Perform
The server side error is "Schema update failed in
recalculating validation cache."
19 entries modified successfully.
An error has occurred in the program
Click to expand...
 
D

Dan Hawker

Nothing out of the ordinary I can think of. I did add a
couple ages ago to allow AD integration (ie
authentication, etc) for our Mac OS X clients. Could this
be the cause. IIRC, there was a couple of added schema
additions, but mainly it uses the Services for UNIX
additions. It uses the userSharedFolderOther amongst
others to allow the OS X machines to authenticate over
LDAP.

Could this be the problem???
If so, how do I fix it, given that W2K doesn't allow for
the removal of added schema entries in the AD???


-----Original Message-----
Have you implemented any AD schema changes that could be incompatible with
Windows Server 2003 schema extensions ? Any third party software ?

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

Hi All,
Trying to update our Win2K domain so that we can allow a
Server 2003 machine to join and be a DC. Have run through
the usual MS guides, however it just fails. Have looked at
the adprep log, and it seems it can't update the schema
master for whatever reason. It seems to hit a problem at
the x.500 container in the LDAP stuff. It seems that is
the problem, but why??? Do I need to *repair* my AD or
similar.

We have 4 DC's here, all are SP4, all apart from this,
work fine.

Any thoughts or indeed hopefully answers gratefully
received.

I've added my adprep.log and ldif.log file below.

TIA

Dan Hawker

Here are the logs...

-----

Adprep.log


Adprep was unable to upgrade the schema on the schema
master.[Status/Consequence]The schema will not be restored
to its original state. [User Action] Check the Ldif.err
log file in the C:\WINNT\system32
\debug\adprep\logs\20040107095701 directory for detailed
information.



Adprep set the value of registry key
System\CurrentControlSet\Services\NTDS\Parameters\Schema
Update Allowed to 1



Adprep was unable to update forest-wide information.
[Status/Consequence]Adprep requires access to existing
forest-wide information from the schema master in order to
complete this operation.[User Action]Check the log file,
Adprep.log, in the C:\WINNT\system32
\debug\adprep\logs\20040107095701 directory for more
information.

-------------
ldif.log

Connecting to "CANFORD-W2K"
Logging in as current user using SSPI
Importing directory from file "C:\WINNT\system32 \sch18.ldf"
Loading entries
1: CN=ms-Exch-Assistant-
Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry DN: CN=ms-Exch-Assistant-
Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry modified successfully.
2: CN=ms-Exch-
LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry DN: CN=ms-Exch-
LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry modified successfully.
3: (null)
Entry DN: (null)
Entry modified successfully.
4: CN=ms-Exch-Assistant-
Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry DN: CN=ms-Exch-Assistant-
Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry modified successfully.
5: CN=ms-Exch-
LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry DN: CN=ms-Exch-
LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry modified successfully.
6: (null)
Entry DN: (null)
Entry modified successfully.
7:
CN=uid,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=c
om
Entry DN:
CN=uid,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=c
om
Entry modified successfully.
8:
CN=audio,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry DN:
CN=audio,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry modified successfully.
9:
CN=photo,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry DN:
CN=photo,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry modified successfully.
10:
CN=jpegPhoto,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry DN:
CN=jpegPhoto,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry modified successfully.
11:
CN=secretary,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry DN:
CN=secretary,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry modified successfully.
12:
CN=userPKCS12,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:
CN=userPKCS12,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
13:
CN=carLicense,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:
CN=carLicense,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
14:
CN=labeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:
CN=labeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
15:
CN=roomNumber,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:
CN=roomNumber,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
16:
CN=uniqueMember,CN=Schema,CN=Configuration,DC=hamlet,DC=can
ford,DC=com
Entry DN:
CN=uniqueMember,CN=Schema,CN=Configuration,DC=hamlet,DC=can
ford,DC=com
Entry modified successfully.
17:
CN=departmentNumber,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry DN:
CN=departmentNumber,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry modified successfully.
18:
CN=unstructuredName,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry DN:
CN=unstructuredName,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry modified successfully.
19:
CN=preferredLanguage,CN=Schema,CN=Configuration,DC=hamlet,D
C=canford,DC=com
Entry DN:
CN=preferredLanguage,CN=Schema,CN=Configuration,DC=hamlet,D
C=canford,DC=com
Entry modified successfully.
20:
CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=hamle
t,DC=canford,DC=com
Entry DN:
CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=hamle
t,DC=canford,DC=com
Add error on line 275: Unwilling To Perform
The server side error is "Schema update failed in
recalculating validation cache."
19 entries modified successfully.
An error has occurred in the program
Click to expand...


.
Click to expand...
 
E

Eric Fleischman [MSFT]

Not only is the answer to this "yes" I can probably tell you what: I bet
you've gone ahead and implemented the Apple schema extensions.

The short answer is that you have a conflicted OID (2.5.4.45) which is
causing the issue. I bet the attribute is unixid, a "suggested" attribute
from Apple's website. Their site had a doc that talked about OS X and AD in
w2k compat and suggested adding this attribute. People unfortunately used
their example OID exactly and that happened to be 2.5.4.45 which is in the
MS OID space.

Can you ldif dump your schema and send it to me offline (just remove the
'online' from my email address) so I can look to see if this is in fact your
issue?

Thanks!
~Eric

--
Eric Fleischman [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


Matjaz Ladava said:
Have you implemented any AD schema changes that could be incompatible with
Windows Server 2003 schema extensions ? Any third party software ?

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

Dan Hawker said:
Hi All,
Trying to update our Win2K domain so that we can allow a
Server 2003 machine to join and be a DC. Have run through
the usual MS guides, however it just fails. Have looked at
the adprep log, and it seems it can't update the schema
master for whatever reason. It seems to hit a problem at
the x.500 container in the LDAP stuff. It seems that is
the problem, but why??? Do I need to *repair* my AD or
similar.

We have 4 DC's here, all are SP4, all apart from this,
work fine.

Any thoughts or indeed hopefully answers gratefully
received.

I've added my adprep.log and ldif.log file below.

TIA

Dan Hawker

Here are the logs...

-----

Adprep.log


Adprep was unable to upgrade the schema on the schema
master.[Status/Consequence]The schema will not be restored
to its original state. [User Action] Check the Ldif.err
log file in the C:\WINNT\system32
\debug\adprep\logs\20040107095701 directory for detailed
information.



Adprep set the value of registry key
System\CurrentControlSet\Services\NTDS\Parameters\Schema
Update Allowed to 1



Adprep was unable to update forest-wide information.
[Status/Consequence]Adprep requires access to existing
forest-wide information from the schema master in order to
complete this operation.[User Action]Check the log file,
Adprep.log, in the C:\WINNT\system32
\debug\adprep\logs\20040107095701 directory for more
information.

-------------
ldif.log

Connecting to "CANFORD-W2K"
Logging in as current user using SSPI
Importing directory from file "C:\WINNT\system32\sch18.ldf"
Loading entries
1: CN=ms-Exch-Assistant-
Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry DN: CN=ms-Exch-Assistant-
Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry modified successfully.
2: CN=ms-Exch-
LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry DN: CN=ms-Exch-
LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry modified successfully.
3: (null)
Entry DN: (null)
Entry modified successfully.
4: CN=ms-Exch-Assistant-
Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry DN: CN=ms-Exch-Assistant-
Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry modified successfully.
5: CN=ms-Exch-
LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry DN: CN=ms-Exch-
LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry modified successfully.
6: (null)
Entry DN: (null)
Entry modified successfully.
7:
CN=uid,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=c
om
Entry DN:
CN=uid,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=c
om
Entry modified successfully.
8:
CN=audio,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry DN:
CN=audio,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry modified successfully.
9:
CN=photo,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry DN:
CN=photo,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry modified successfully.
10:
CN=jpegPhoto,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry DN:
CN=jpegPhoto,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry modified successfully.
11:
CN=secretary,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry DN:
CN=secretary,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry modified successfully.
12:
CN=userPKCS12,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:
CN=userPKCS12,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
13:
CN=carLicense,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:
CN=carLicense,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
14:
CN=labeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:
CN=labeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
15:
CN=roomNumber,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:
CN=roomNumber,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
16:
CN=uniqueMember,CN=Schema,CN=Configuration,DC=hamlet,DC=can
ford,DC=com
Entry DN:
CN=uniqueMember,CN=Schema,CN=Configuration,DC=hamlet,DC=can
ford,DC=com
Entry modified successfully.
17:
CN=departmentNumber,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry DN:
CN=departmentNumber,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry modified successfully.
18:
CN=unstructuredName,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry DN:
CN=unstructuredName,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry modified successfully.
19:
CN=preferredLanguage,CN=Schema,CN=Configuration,DC=hamlet,D
C=canford,DC=com
Entry DN:
CN=preferredLanguage,CN=Schema,CN=Configuration,DC=hamlet,D
C=canford,DC=com
Entry modified successfully.
20:
CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=hamle
t,DC=canford,DC=com
Entry DN:
CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=hamle
t,DC=canford,DC=com
Add error on line 275: Unwilling To Perform
The server side error is "Schema update failed in
recalculating validation cache."
19 entries modified successfully.
An error has occurred in the program
Click to expand...
Click to expand...
 
E

Eric Fleischman [MSFT]

Ah, my other post was correct.
There is no way to remove, as you noted.

The most elegant way around this:
1) comment out the offending section of sch18.ldf (x500UniqueIdentifier)
2) Run adprep, do the upgrade
3) get to w2k03 forest functional level (this of course means no w2k or nt4
dc's in the whole forest ever again)
4) defunct the offending schema extension (unixid I bet)
5) import the section you commented out in step 1

~Eric


--
Eric Fleischman [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


Dan Hawker said:
Nothing out of the ordinary I can think of. I did add a
couple ages ago to allow AD integration (ie
authentication, etc) for our Mac OS X clients. Could this
be the cause. IIRC, there was a couple of added schema
additions, but mainly it uses the Services for UNIX
additions. It uses the userSharedFolderOther amongst
others to allow the OS X machines to authenticate over
LDAP.

Could this be the problem???
If so, how do I fix it, given that W2K doesn't allow for
the removal of added schema entries in the AD???


-----Original Message-----
Have you implemented any AD schema changes that could be incompatible with
Windows Server 2003 schema extensions ? Any third party software ?

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

Hi All,
Trying to update our Win2K domain so that we can allow a
Server 2003 machine to join and be a DC. Have run through
the usual MS guides, however it just fails. Have looked at
the adprep log, and it seems it can't update the schema
master for whatever reason. It seems to hit a problem at
the x.500 container in the LDAP stuff. It seems that is
the problem, but why??? Do I need to *repair* my AD or
similar.

We have 4 DC's here, all are SP4, all apart from this,
work fine.

Any thoughts or indeed hopefully answers gratefully
received.

I've added my adprep.log and ldif.log file below.

TIA

Dan Hawker

Here are the logs...

-----

Adprep.log


Adprep was unable to upgrade the schema on the schema
master.[Status/Consequence]The schema will not be restored
to its original state. [User Action] Check the Ldif.err
log file in the C:\WINNT\system32
\debug\adprep\logs\20040107095701 directory for detailed
information.



Adprep set the value of registry key
System\CurrentControlSet\Services\NTDS\Parameters\Schema
Update Allowed to 1



Adprep was unable to update forest-wide information.
[Status/Consequence]Adprep requires access to existing
forest-wide information from the schema master in order to
complete this operation.[User Action]Check the log file,
Adprep.log, in the C:\WINNT\system32
\debug\adprep\logs\20040107095701 directory for more
information.

-------------
ldif.log

Connecting to "CANFORD-W2K"
Logging in as current user using SSPI
Importing directory from file "C:\WINNT\system32 \sch18.ldf"
Loading entries
1: CN=ms-Exch-Assistant-
Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry DN: CN=ms-Exch-Assistant-
Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry modified successfully.
2: CN=ms-Exch-
LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry DN: CN=ms-Exch-
LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry modified successfully.
3: (null)
Entry DN: (null)
Entry modified successfully.
4: CN=ms-Exch-Assistant-
Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry DN: CN=ms-Exch-Assistant-
Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry modified successfully.
5: CN=ms-Exch-
LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry DN: CN=ms-Exch-
LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry modified successfully.
6: (null)
Entry DN: (null)
Entry modified successfully.
7:
CN=uid,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=c
om
Entry DN:
CN=uid,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=c
om
Entry modified successfully.
8:
CN=audio,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry DN:
CN=audio,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry modified successfully.
9:
CN=photo,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry DN:
CN=photo,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry modified successfully.
10:
CN=jpegPhoto,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry DN:
CN=jpegPhoto,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry modified successfully.
11:
CN=secretary,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry DN:
CN=secretary,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry modified successfully.
12:
CN=userPKCS12,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:
CN=userPKCS12,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
13:
CN=carLicense,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:
CN=carLicense,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
14:
CN=labeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:
CN=labeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
15:
CN=roomNumber,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:
CN=roomNumber,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
16:
CN=uniqueMember,CN=Schema,CN=Configuration,DC=hamlet,DC=can
ford,DC=com
Entry DN:
CN=uniqueMember,CN=Schema,CN=Configuration,DC=hamlet,DC=can
ford,DC=com
Entry modified successfully.
17:
CN=departmentNumber,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry DN:
CN=departmentNumber,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry modified successfully.
18:
CN=unstructuredName,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry DN:
CN=unstructuredName,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry modified successfully.
19:
CN=preferredLanguage,CN=Schema,CN=Configuration,DC=hamlet,D
C=canford,DC=com
Entry DN:
CN=preferredLanguage,CN=Schema,CN=Configuration,DC=hamlet,D
C=canford,DC=com
Entry modified successfully.
20:
CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=hamle
t,DC=canford,DC=com
Entry DN:
CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=hamle
t,DC=canford,DC=com
Add error on line 275: Unwilling To Perform
The server side error is "Schema update failed in
recalculating validation cache."
19 entries modified successfully.
An error has occurred in the program
Click to expand...


.
Click to expand...
Click to expand...
 
D

Dan Hawker

Eric,

Thanks for your reply, seems the OSX -> AD integration is
the killer :(

Your method does indeed seem the most elegant, however is
there another less elegant option??? We originally wanted
to add the 2K3 server to speed up xp clients when they
logon to the domain (still fairly slow). We presently have
the 2K3 server running SUS and nothing else (a waste).
Presently although we plan to upgrade the others to 2K3 in
time, we can't really do that until we have tested our
email server is OK on 2K3 along with any number of other
strange software we have on the servers. One for instance
is some strange library management software (I work at a
school in the UK).

All this added to the fact we still require the OSX
authentication means I cannot use your solution if it
requires (as I presume from your post)for no 2K DC's on
our domain.

As you mentioned there is no way of deleting added schema
extensions, however as I will still need the OS X
authentication (some 40% of our clients are Mac OS) and
can't really swap all servers to 2K3 until later in the
year (probably summer holidays) can I change the schema
entries so that they are no-longer in the same MS OID
space??? ie can I just change the attributes properties???
Would this then allow the adprep to work OK and upgrade
the AD???
If not, I guess we'll have to hold back from adding this
2K3 server as a DC for our domain until we can do
something about it in the summer.

Thanks

Dan

-----Original Message-----
Ah, my other post was correct.
There is no way to remove, as you noted.

The most elegant way around this:
1) comment out the offending section of sch18.ldf (x500UniqueIdentifier)
2) Run adprep, do the upgrade
3) get to w2k03 forest functional level (this of course means no w2k or nt4
dc's in the whole forest ever again)
4) defunct the offending schema extension (unixid I bet)
5) import the section you commented out in step 1

~Eric


--
Eric Fleischman [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


Nothing out of the ordinary I can think of. I did add a
couple ages ago to allow AD integration (ie
authentication, etc) for our Mac OS X clients. Could this
be the cause. IIRC, there was a couple of added schema
additions, but mainly it uses the Services for UNIX
additions. It uses the userSharedFolderOther amongst
others to allow the OS X machines to authenticate over
LDAP.

Could this be the problem???
If so, how do I fix it, given that W2K doesn't allow for
the removal of added schema entries in the AD???


-----Original Message-----
Have you implemented any AD schema changes that could
Click to expand...
be
incompatible with
Windows Server 2003 schema extensions ? Any third party software ?

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

"Dan Hawker" <[email protected]>
Click to expand...
wrote
in message
Hi All,
Trying to update our Win2K domain so that we can allow a
Server 2003 machine to join and be a DC. Have run through
the usual MS guides, however it just fails. Have
Click to expand...
looked
at
the adprep log, and it seems it can't update the schema
master for whatever reason. It seems to hit a problem at
the x.500 container in the LDAP stuff. It seems that is
the problem, but why??? Do I need to *repair* my AD or
similar.

We have 4 DC's here, all are SP4, all apart from this,
work fine.

Any thoughts or indeed hopefully answers gratefully
received.

I've added my adprep.log and ldif.log file below.

TIA

Dan Hawker

Here are the logs...

-----

Adprep.log


Adprep was unable to upgrade the schema on the schema
master.[Status/Consequence]The schema will not be restored
to its original state. [User Action] Check the Ldif.err
log file in the C:\WINNT\system32
\debug\adprep\logs\20040107095701 directory for detailed
information.



Adprep set the value of registry key
System\CurrentControlSet\Services\NTDS\Parameters\Schema
Update Allowed to 1



Adprep was unable to update forest-wide information.
[Status/Consequence]Adprep requires access to existing
forest-wide information from the schema master in
Click to expand...
order
to
complete this operation.[User Action]Check the log file,
Adprep.log, in the C:\WINNT\system32
\debug\adprep\logs\20040107095701 directory for more
information.

-------------
ldif.log

Connecting to "CANFORD-W2K"
Logging in as current user using SSPI
Importing directory from file "C:\WINNT\system32 \sch18.ldf"
Loading entries
1: CN=ms-Exch-Assistant-
Click to expand...
Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry DN: CN=ms-Exch-Assistant-
Click to expand...
Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry modified successfully.
2: CN=ms-Exch-
Click to expand...
LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry DN: CN=ms-Exch-
Click to expand...
LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry modified successfully.
3: (null)
Entry DN: (null)
Entry modified successfully.
4: CN=ms-Exch-Assistant-
Click to expand...
Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry DN: CN=ms-Exch-Assistant-
Click to expand...
Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry modified successfully.
5: CN=ms-Exch-
Click to expand...
LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry DN: CN=ms-Exch-
Click to expand...
LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry modified successfully.
6: (null)
Entry DN: (null)
Entry modified successfully.
7:
Click to expand...
CN=uid,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=c
om
Entry DN:
Click to expand...
CN=uid,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=c
om
Entry modified successfully.
8:
Click to expand...
CN=audio,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry DN:
Click to expand...
CN=audio,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry modified successfully.
9:
Click to expand...
CN=photo,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry DN:
Click to expand...
CN=photo,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry modified successfully.
10:
Click to expand...
CN=jpegPhoto,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry DN:
Click to expand...
CN=jpegPhoto,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry modified successfully.
11:
Click to expand...
CN=secretary,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry DN:
Click to expand...
CN=secretary,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry modified successfully.
12:
Click to expand...
CN=userPKCS12,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:
Click to expand...
CN=userPKCS12,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
13:
Click to expand...
CN=carLicense,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:
Click to expand...
CN=carLicense,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
14:
Click to expand...
CN=labeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:
Click to expand...
CN=labeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
15:
Click to expand...
CN=roomNumber,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:
Click to expand...
CN=roomNumber,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
16:
Click to expand...
CN=uniqueMember,CN=Schema,CN=Configuration,DC=hamlet,DC=can
ford,DC=com
Entry DN:
Click to expand...
CN=uniqueMember,CN=Schema,CN=Configuration,DC=hamlet,DC=can
ford,DC=com
Entry modified successfully.
17:
Click to expand...
CN=departmentNumber,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry DN:
Click to expand...
CN=departmentNumber,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry modified successfully.
18:
Click to expand...
CN=unstructuredName,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry DN:
Click to expand...
CN=unstructuredName,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry modified successfully.
19:
Click to expand...
CN=preferredLanguage,CN=Schema,CN=Configuration,DC=hamlet,D
C=canford,DC=com
Entry DN:
Click to expand...
CN=preferredLanguage,CN=Schema,CN=Configuration,DC=hamlet,D
C=canford,DC=com
Entry modified successfully.
20:
Click to expand...
CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=hamle
t,DC=canford,DC=com
Entry DN:
Click to expand...
CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=hamle
t,DC=canford,DC=com
Add error on line 275: Unwilling To Perform
The server side error is "Schema update failed in
recalculating validation cache."
19 entries modified successfully.
An error has occurred in the program


-----------



.
Click to expand...
Click to expand...


.
Click to expand...
 
E

Eric Fleischman [MSFT]

As you mentioned there is no way of deleting added schema
extensions, however as I will still need the OS X
authentication (some 40% of our clients are Mac OS) and
can't really swap all servers to 2K3 until later in the
year (probably summer holidays) can I change the schema
entries so that they are no-longer in the same MS OID
space??? ie can I just change the attributes properties???
Would this then allow the adprep to work OK and upgrade
the AD???
Click to expand...

Unfortunately not. We can't change OID's like this on the fly. That would be
the same effectively as deleting an attribute in some contexts so it isn't
allowed by the directory.
Your method does indeed seem the most elegant, however is
there another less elegant option???
Click to expand...

Hehe....well, not one that I can think off of the top of my head, but maybe
others have one. That's just all I've got. :)

I totally understand the pain in having to go to w2k03 all over to really
finish this. Since I haven't tested stopping at step 2 for an extended
period of time I would be doing you a disservice if I were to just say "go
ahead and do it" as I don't know what the ramafications might be of doing
that for an extended period of time.

I also don't know what impact the OS X clients would feel if unixid were
removed or readded with a different OID. That is something that I'm sure
Apple could answer with certainty.

I'm sorry, this is the best answer I've got. If you have any further
questions/thoughts/comments please do holler. For what it's worth, you won't
have this issue again when you get to w2k03 (as we can defunct attributes at
that point).
~Eric

--
Eric Fleischman [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


Dan Hawker said:
Eric,

Thanks for your reply, seems the OSX -> AD integration is
the killer :(

Your method does indeed seem the most elegant, however is
there another less elegant option??? We originally wanted
to add the 2K3 server to speed up xp clients when they
logon to the domain (still fairly slow). We presently have
the 2K3 server running SUS and nothing else (a waste).
Presently although we plan to upgrade the others to 2K3 in
time, we can't really do that until we have tested our
email server is OK on 2K3 along with any number of other
strange software we have on the servers. One for instance
is some strange library management software (I work at a
school in the UK).

All this added to the fact we still require the OSX
authentication means I cannot use your solution if it
requires (as I presume from your post)for no 2K DC's on
our domain.

As you mentioned there is no way of deleting added schema
extensions, however as I will still need the OS X
authentication (some 40% of our clients are Mac OS) and
can't really swap all servers to 2K3 until later in the
year (probably summer holidays) can I change the schema
entries so that they are no-longer in the same MS OID
space??? ie can I just change the attributes properties???
Would this then allow the adprep to work OK and upgrade
the AD???
If not, I guess we'll have to hold back from adding this
2K3 server as a DC for our domain until we can do
something about it in the summer.

Thanks

Dan

-----Original Message-----
Ah, my other post was correct.
There is no way to remove, as you noted.

The most elegant way around this:
1) comment out the offending section of sch18.ldf (x500UniqueIdentifier)
2) Run adprep, do the upgrade
3) get to w2k03 forest functional level (this of course means no w2k or nt4
dc's in the whole forest ever again)
4) defunct the offending schema extension (unixid I bet)
5) import the section you commented out in step 1

~Eric


--
Eric Fleischman [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


Nothing out of the ordinary I can think of. I did add a
couple ages ago to allow AD integration (ie
authentication, etc) for our Mac OS X clients. Could this
be the cause. IIRC, there was a couple of added schema
additions, but mainly it uses the Services for UNIX
additions. It uses the userSharedFolderOther amongst
others to allow the OS X machines to authenticate over
LDAP.

Could this be the problem???
If so, how do I fix it, given that W2K doesn't allow for
the removal of added schema entries in the AD???



-----Original Message-----
Have you implemented any AD schema changes that could be
incompatible with
Windows Server 2003 schema extensions ? Any third party
software ?

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

in message
Hi All,
Trying to update our Win2K domain so that we can allow a
Server 2003 machine to join and be a DC. Have run
through
the usual MS guides, however it just fails. Have looked
at
the adprep log, and it seems it can't update the schema
master for whatever reason. It seems to hit a problem at
the x.500 container in the LDAP stuff. It seems that is
the problem, but why??? Do I need to *repair* my AD or
similar.

We have 4 DC's here, all are SP4, all apart from this,
work fine.

Any thoughts or indeed hopefully answers gratefully
received.

I've added my adprep.log and ldif.log file below.

TIA

Dan Hawker

Here are the logs...

-----

Adprep.log


Adprep was unable to upgrade the schema on the schema
master.[Status/Consequence]The schema will not be
restored
to its original state. [User Action] Check the Ldif.err
log file in the C:\WINNT\system32
\debug\adprep\logs\20040107095701 directory for detailed
information.



Adprep set the value of registry key
System\CurrentControlSet\Services\NTDS\Parameters\Schema
Update Allowed to 1



Adprep was unable to update forest-wide information.
[Status/Consequence]Adprep requires access to existing
forest-wide information from the schema master in order
to
complete this operation.[User Action]Check the log file,
Adprep.log, in the C:\WINNT\system32
\debug\adprep\logs\20040107095701 directory for more
information.

-------------
ldif.log

Connecting to "CANFORD-W2K"
Logging in as current user using SSPI
Importing directory from file "C:\WINNT\system32
\sch18.ldf"
Loading entries
1: CN=ms-Exch-Assistant-

Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry DN: CN=ms-Exch-Assistant-

Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry modified successfully.
2: CN=ms-Exch-

LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry DN: CN=ms-Exch-

LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry modified successfully.
3: (null)
Entry DN: (null)
Entry modified successfully.
4: CN=ms-Exch-Assistant-

Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry DN: CN=ms-Exch-Assistant-

Name,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=com
Entry modified successfully.
5: CN=ms-Exch-

LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry DN: CN=ms-Exch-

LabeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,
DC=com
Entry modified successfully.
6: (null)
Entry DN: (null)
Entry modified successfully.
7:

CN=uid,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=c
om
Entry DN:

CN=uid,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC=c
om
Entry modified successfully.
8:

CN=audio,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry DN:

CN=audio,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry modified successfully.
9:

CN=photo,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry DN:

CN=photo,CN=Schema,CN=Configuration,DC=hamlet,DC=canford,DC
=com
Entry modified successfully.
10:

CN=jpegPhoto,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry DN:

CN=jpegPhoto,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry modified successfully.
11:

CN=secretary,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry DN:

CN=secretary,CN=Schema,CN=Configuration,DC=hamlet,DC=canfor
d,DC=com
Entry modified successfully.
12:

CN=userPKCS12,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:

CN=userPKCS12,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
13:

CN=carLicense,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:

CN=carLicense,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
14:

CN=labeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:

CN=labeledURI,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
15:

CN=roomNumber,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry DN:

CN=roomNumber,CN=Schema,CN=Configuration,DC=hamlet,DC=canfo
rd,DC=com
Entry modified successfully.
16:

CN=uniqueMember,CN=Schema,CN=Configuration,DC=hamlet,DC=can
ford,DC=com
Entry DN:

CN=uniqueMember,CN=Schema,CN=Configuration,DC=hamlet,DC=can
ford,DC=com
Entry modified successfully.
17:

CN=departmentNumber,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry DN:

CN=departmentNumber,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry modified successfully.
18:

CN=unstructuredName,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry DN:

CN=unstructuredName,CN=Schema,CN=Configuration,DC=hamlet,DC
=canford,DC=com
Entry modified successfully.
19:

CN=preferredLanguage,CN=Schema,CN=Configuration,DC=hamlet,D
C=canford,DC=com
Entry DN:

CN=preferredLanguage,CN=Schema,CN=Configuration,DC=hamlet,D
C=canford,DC=com
Entry modified successfully.
20:

CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=hamle
t,DC=canford,DC=com
Entry DN:

CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=hamle
t,DC=canford,DC=com
Add error on line 275: Unwilling To Perform
The server side error is "Schema update failed in
recalculating validation cache."
19 entries modified successfully.
An error has occurred in the program


-----------



.
Click to expand...


.
Click to expand...
Click to expand...
 
F

Florian

I've experienced the same problem - the ldif updater
script in /forestprep trips over AttributeID 2.5.4.45 -
the unixid attribute createwd for *nix authentication.

I have tried to manually edit the property values of this
attribute. Basically, I am entering the values for the
x500uniqueIdentifier into the schema using ADSI Edit.exe
so I can then comment out that attribute in the update
script.

Of course it doesn't let me save changes to the
cn/canonicalName so I am kind of stuck. Is it safe to
delete unixid using ADSI Edit?

Currently, no Mac/Unix clients need authenticate using
LDAP.

thx

florian
 
E

Eric Fleischman [MSFT]

adsiedit isn't going to let you delete the attibute. Attributes can not be
deleted from the schema, only defuncted. And once you do that, with w2k you
still can't reuse the oid. That requires forest functional level increases
once you have w2k03 in the environment.

~Eric
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

adprep /forestprep Fails with errors 4
ADPREP /forestprep fails on sch18.ldf (Line 333) 6
Windows 2000 Adprep /forestprep fails 3
adprep /forestprep errors 2
Problem with upgrade to 2003 (in Addprep) 1
adprep /forestpref 3
adprep /forestprep failed - What next?? 2
Windows 2003 Upgrade and inetorgperson 3

Top