Forest Prep Failure due to OS X Schema

[Taylor555]

Currently having an issue with upgrading 4dc to win2k3, when a adprep
/forestprep is done it returns an error in the ldif logs saying

"20:
CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=mbi,DC=ufl,DC=edu
Entry DN:
CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=mbi,DC=ufl,DC=edu
Add error on line 275: Unwilling To Perform"

the DC has had the OS X Schema update applied to it several years ago,
it is no longer needed.

I have attempted to follow the KB Article >
http://support.microsoft.com/?kbid=887426 < and it's only until I get
up to Part 3 where I start getting confused.

part 3 step b (with dc=forest,dc=root replaced with my domain) giving
me an error.

Connecting to "servername.domain.domain.domain.domain"
Logging in as current user using SSPI
Importing directory from file "rename.txt"
Error occured during initialization
File operation failure
0 entries modified successfully.
An error has occurred in the program

i have noticed that when running that step it tries to import a file
called rename.txt, but where does the file come from? it's not being
generated from anyplace that i can tell unless you remove the -i from
the command in part 3 step b, but this means that microsoft made a typo
which is kinda unlikely.

We have 4DCs here each running win2k SP, I have our 4 DCs in a test
environment which is an exact replica of the production environment, so
I can afford to play around with some things.


any advice?

 

[Ace Fekay [MVP]]

In

Currently having an issue with upgrading 4dc to win2k3, when a adprep
/forestprep is done it returns an error in the ldif logs saying

"20:
CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=mbi,DC=ufl,DC=edu
Entry DN:
CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=mbi,DC=ufl,DC=edu
Add error on line 275: Unwilling To Perform"

the DC has had the OS X Schema update applied to it several years ago,
it is no longer needed.

I have attempted to follow the KB Article >
http://support.microsoft.com/?kbid=887426 < and it's only until I get
up to Part 3 where I start getting confused.

part 3 step b (with dc=forest,dc=root replaced with my domain) giving
me an error.

Connecting to "servername.domain.domain.domain.domain"
Logging in as current user using SSPI
Importing directory from file "rename.txt"
Error occured during initialization
File operation failure
0 entries modified successfully.
An error has occurred in the program

i have noticed that when running that step it tries to import a file
called rename.txt, but where does the file come from? it's not being
generated from anyplace that i can tell unless you remove the -i from
the command in part 3 step b, but this means that microsoft made a
typo which is kinda unlikely.

We have 4DCs here each running win2k SP, I have our 4 DCs in a test
environment which is an exact replica of the production environment,
so I can afford to play around with some things.


any advice?

If you read the rest of that article, the next grayed out box has the
rename.txt that you have to create by copying and pasting into notepad, then
save it to a location you can run ldifde from. You can save it to C: drive,
then run ldifde from C: drive so it can find rename.txt. For your
convenience, I am copying/pasting the ldif file (rename.txt) here. You can
copy and paste it from here or from the article. Give that a shot and report
back if you still have problems.

Copy and paste what is between the "===" lines but do not copy the "==="
line itself.
=================================
# Script to recover from Apple's use of W2K3 object identifier 2.5.4.45
#
# Run this script on the Windows 2000 Schema FSMO
# SYNTAX C:> ldifde -i -f rename.txt -v -c DC=X dc=forest,dc=root
# Note: replace dc=forest,dc=root with the forest root for your enterprise

dn: CN=unixID,CN=Schema,CN=Configuration,DC=X
changetype: Modify
replace: lDAPDisplayName
lDAPDisplayName: x500uniqueIdentifier
-

dn: CN=unixID,CN=Schema,CN=Configuration,DC=X
changetype: modrdn
newrdn: cn=x500uniqueIdentifier
deleteoldrdn: 1
-

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
=================================


--
Regards,
Ace

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================

 

[Taylor555]

ah, that was logical.

This is the output.

Connecting to "servername.domain.domain.domain.domain"
Logging in as current user using SSPI
Importing directory from file "rename.txt"
Loading entries
1:
CN=unixID,CN=Schema,CN=Configuration,dc=domain,dc=domain,dc=domain,dc=domain
Entry modified successfully.


There is a syntax error in the input file
Failed on token starting with '1' on line 17
1 entry modified successfully.
An error has occurred in the program


like 17 seems to be a line with - on it

 

[Ace Fekay [MVP]]

In

ah, that was logical.

This is the output.

Connecting to "servername.domain.domain.domain.domain"
Logging in as current user using SSPI
Importing directory from file "rename.txt"
Loading entries
1:
CN=unixID,CN=Schema,CN=Configuration,dc=domain,dc=domain,dc=domain,dc=domain
Entry modified successfully.


There is a syntax error in the input file
Failed on token starting with '1' on line 17
1 entry modified successfully.
An error has occurred in the program


like 17 seems to be a line with - on it

Hmm, well at least it got one of the changes done. The dash denotes end of
record for each section. Maybe a syntax in that section to change RDN? This
is what it is supposed to look like.

dn: CN=unixID,CN=Schema,CN=Configuration,DC=X
changetype: modrdn
newrdn: cn=x500uniqueIdentifier
deleteoldrdn: 1
-

Now, if the syntax was correct, and the attribute was already changed while
you were testing it or from a previous run, maybe that's why the error
because the value it is looking for is no longer there. You can go into the
schema snapin to manually check if it was changed. Please check it to see if
they were changed. if you can't find a "unixID", and the
"x500uniqueIdentifier" exists, then that means it was already changed. if
the other way around, then it didn't change it yet.

Also look for "lDAPDisplayName" if it is "x500uniqueIdentifier" too, since
that is what it's changing it to.

You can actually change it manually in there too, but let the script handle
it to insure no errors.

Let's take a look at your file. Please copy and paste the file you used in
your reply, or attach it as a .txt file to your post, if you can. Let me
take a look at it please.

Ace

 

[Taylor555]

It seems to have worked fine, the adprep /forestprep and /domainprep
finished without issue this time. I'll be upgrading the 4dcs in the
test lab to 2k3 and remove the schema after that.

 

[Taylor555]

Update.

started the upgrade of the primary DC which holds the FSMO roles...
completed the winnt32.exe /checkupgradeonly and it was okay.

started the upgrade, it started to install, rebooted as normal.. (i
left the office)
i got back to the office and the monitor was totally blank with the
monitor light being lit. tried the monitor without a KVM, no
difference.. tried all the basic things to get it back with no luck..
the computer was hard rebooted

the computer now turns on, starts loading the windows 2003 server
screen when it stops and restarts... it does a loop of this.

directory services recover mode doesn't work, nor does safemode or last
known good configuration.

i booted off the cd again and resumed the upgrade... it tries to
continue but then reboots and the the same thing above starts
happening.

so what can i do? i made sure i did a system state backup before i
commenced this. just install win2k server again, complete the restore
and try again?

or can i blow away the system and start a fresh install and dcpromo it?
but since this is the DC that is the schema master and everything is
that a wise idea?

advice?

 

[Ace Fekay [MVP]]

In

Update.

started the upgrade of the primary DC which holds the FSMO roles...
completed the winnt32.exe /checkupgradeonly and it was okay.

started the upgrade, it started to install, rebooted as normal.. (i
left the office)
i got back to the office and the monitor was totally blank with the
monitor light being lit. tried the monitor without a KVM, no
difference.. tried all the basic things to get it back with no luck..
the computer was hard rebooted

the computer now turns on, starts loading the windows 2003 server
screen when it stops and restarts... it does a loop of this.

directory services recover mode doesn't work, nor does safemode or
last known good configuration.

i booted off the cd again and resumed the upgrade... it tries to
continue but then reboots and the the same thing above starts
happening.

so what can i do? i made sure i did a system state backup before i
commenced this. just install win2k server again, complete the restore
and try again?

or can i blow away the system and start a fresh install and dcpromo
it? but since this is the DC that is the schema master and everything
is that a wise idea?

advice?

DOn't blow it away. And apparently a system state restore won't work since
you can't get into Windows, unless your backup software has the opton for a
bare-metal restore.

Try booting from the Win2003 cd and select R, then R again to "upgrade" it,
which is pretty much a fresh install but keeping your current settings and
configuration.

When upgrading there are a few things to keep in mind, one is to disable any
AV software and remove any cards such as LPT cards, or modems, etc. It
sounds like either a driver issue or the MBR got hosed.

Check out this FAQ:

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003
Domain
http://support.microsoft.com/default.aspx?scid=kb;en-us;555040

Ace

 

[Taylor555]

just an update for any readers reading this with the same issue..

the windows rebooting issue turned out to be the chipset drivers for
the computer.

if i installed the chipset drivers for win2k it would reboot during the
upgrade and generally die, if i didn't install the chipset drivers
everything would boot perfect.

The AD issues in the test lab are now all fixed.

 

[Ace Fekay [MVP]]

In

just an update for any readers reading this with the same issue..

the windows rebooting issue turned out to be the chipset drivers for
the computer.

if i installed the chipset drivers for win2k it would reboot during
the upgrade and generally die, if i didn't install the chipset drivers
everything would boot perfect.

The AD issues in the test lab are now all fixed.

Chipset upgrade? I looked back through this thread, but didn't see it
mentioned anywhere that you had updated your drivers too?? Chipset drivers
can sure do it.

At least it's good you figured it out.

Ace

 

[larry.mark]

Hi Ace,

I was trying to follow along with your post and I ran into a road
block. I copied and pasted the rename.txt into notepad and saved it
onto my c drive. In the command prompt I entered: ldifde -i -f
rename.txt -v -c DC=X dc=forest,dc=root (replacing dc=forest,dc=root
with the forest root for my enterprise). I got the following error:
Connecting to "X.Y.Z.com"
Logging in as current user using SSPI
Importing directory from file "rename.txt"
Error occured during initialization
File operation failure
0 entries modified successfully.
An error has occurred in the program

Am I doing something incorrectly?
Any advice or insight you can offer would be greatly appreciated.
Thanks,

 

[larry.mark]

Hi all,

Please disregard my last post. I was finally able to run:
ldifde -i -f rename.txt -v -c DC=X dc=Y,dc=Z,dc=com

However I got the same error message that Taylor got.

Connecting to "servername.domain.domain.domain.domain"
Logging in as current user using SSPI
Importing directory from file "rename.txt"
Loading entries
1:
CN=unixID,CN=Schema,CN=Configuration,dc=domain,dc=domain,dc=domain,dc=domai­n

Entry modified successfully.

There is a syntax error in the input file
Failed on token starting with '1' on line 17
1 entry modified successfully.
An error has occurred in the program

My question is what's causing this and how can I resolve this issue?

Any insight or suggestions, would be appreciated.
Thanks,

Larry

 

[Ace Fekay [MVP]]

In

Hi all,

Please disregard my last post. I was finally able to run:
ldifde -i -f rename.txt -v -c DC=X dc=Y,dc=Z,dc=com

However I got the same error message that Taylor got.

Connecting to "servername.domain.domain.domain.domain"
Logging in as current user using SSPI
Importing directory from file "rename.txt"
Loading entries
1:
CN=unixID,CN=Schema,CN=Configuration,dc=domain,dc=domain,dc=domain,dc=domai­n

Entry modified successfully.

There is a syntax error in the input file
Failed on token starting with '1' on line 17
1 entry modified successfully.
An error has occurred in the program

My question is what's causing this and how can I resolve this issue?

Any insight or suggestions, would be appreciated.
Thanks,

Larry

Did you use the corrected syntax that Larry did?

=================================
# Script to recover from Apple's use of W2K3 object identifier 2.5.4.45
#
# Run this script on the Windows 2000 Schema FSMO
#assuming your Forest root domain name is domain.com, use this syntax:
# SYNTAX C:> ldifde -i -f rename.txt -v -c DC=X dc=domain,dc=com
# Note: replace dc=forest,dc=root with the forest root domain name for your
enterprise

dn: CN=unixID,CN=Schema,CN=Configuration,DC=X
changetype: Modify
replace: lDAPDisplayName
lDAPDisplayName: x500uniqueIdentifier
-

dn: CN=unixID,CN=Schema,CN=Configuration,DC=X
changetype: modrdn
newrdn: cn=x500uniqueIdentifier
deleteoldrdn: 1
-

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
=================================

Ace

 

[Taylor555]

Well.....

I am doing the production server schema update at the moment and i've
come across the same error that i had with the test lab and also that
larry is having.

i can't recall what i did to fix it last time. i know i did something
to the script, but i can't recall.

I'll have to try and remember how to check it manually, i'll post the
errors i get here after the DC comes back online

 

[Taylor555]

C:\>ldifde -i -f rename.txt -v -c DC=X dc=domain,dc=domain
Connecting to "svdcgc01.dc=domain,dc=domain"
Logging in as current user using SSPI
Importing directory from file "rename.txt"
Loading entries
1: CN=unixID,CN=Schema,CN=Configuration,dc=domain,dc=domain

Add error on line 7: No Such Object
The server side error is "Directory object not found."
0 entries modified successfully.
An error has occurred in the program

______

any idea? i tried doing the adprep /forest prep again but it fails
with.





=============================================================================

"isSingleValued" attribute value for objects defined in Windows 2000
schema and extended schema do not match.



A previous schema extension has defined the attribute value as "TRUE"
for object
"CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=stpeters,DC=qld,DC=edu,DC=au"
differently than the schema extension needed for Windows 2003 server .

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the
schema to resolve the inconsistency. Then run adprep again.







=============================================================================

"attributeSyntax" attribute value for objects defined in Windows 2000
schema and extended schema do not match.



A previous schema extension has defined the attribute value as
"2.5.5.9" for object
"CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=stpeters,DC=qld,DC=edu,DC=au"
differently than the schema extension needed for Windows 2003 server .

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the
schema to resolve the inconsistency. Then run adprep again.

 

[Ace Fekay [MVP]]

C:\>ldifde -i -f rename.txt -v -c DC=X dc=domain,dc=domain
Connecting to "svdcgc01.dc=domain,dc=domain"
Logging in as current user using SSPI
Importing directory from file "rename.txt"
Loading entries
1: CN=unixID,CN=Schema,CN=Configuration,dc=domain,dc=domain

Add error on line 7: No Such Object
The server side error is "Directory object not found."
0 entries modified successfully.
An error has occurred in the program

______

any idea?
i tried doing the adprep /forest prep again but it fails
with.

=============================================================================

"isSingleValued" attribute value for objects defined in Windows 2000
schema and extended schema do not match.



A previous schema extension has defined the attribute value as "TRUE"
for object
"CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=stpeters,DC=qld,DC=edu,DC=au"
differently than the schema extension needed for Windows 2003 server .

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the
schema to resolve the inconsistency. Then run adprep again.


=============================================================================

"attributeSyntax" attribute value for objects defined in Windows 2000
schema and extended schema do not match.



A previous schema extension has defined the attribute value as
"2.5.5.9" for object
"CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=stpeters,DC=qld,DC=edu,DC=au"
differently than the schema extension needed for Windows 2003 server .

[Status/Consequence]

Adprep cannot extend your existing schema

[User Action]

Contact the vendor of the application that previously extended the
schema to resolve the inconsistency. Then run adprep again.

Sounds like the object was already renamed, so the second part of the script
couldn't run. I believe that article has a fall-back to go back to the way
it was, then try it again. Either way, you will not be able to adprep it
until this is done.

Ace.

 

[Taylor555]

with the undo script i get this

_____

C:\>ldifde -i -f rename_undo.txt -v -c DC=X
dc=stpeters,dc=qld,dc=edu,dc=au
Connecting to "svdcgc01.stpeters.qld.edu.au"
Logging in as current user using SSPI
Importing directory from file "rename_undo.txt"
Loading entries
1:
cn=x500uniqueIdentifier,CN=Schema,CN=Configuration,dc=stpeters,dc=qld,dc=edu,
dc=au
Entry modified successfully.


There is a syntax error in the input file
Failed on token starting with '1' on line 15
1 entry modified successfully.
An error has occurred in the program

_______

undo script contains

# SYNTAX C:> ldifde -i -f rename_undo.txt -v -c DC=X dc=forest,dc=root
# Note: replace dc=forest,dc=root with the forest root for your
enterprise


dn: cn=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=X
changetype: Modify
replace: lDAPDisplayName
lDAPDisplayName: UniqueID
-

dn: cn=x500uniqueIdentifier,cn=Schema,CN=Configuration,DC=X
changetype: modrdn
newrdn: cn=unixID
deleteoldrdn: 1
-

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1

so line 15 is yet again "-"

ideas?

 

[Taylor555]

if you take out that "-" it seems to go further.. so without the dash
it they were added back in.

i did the rename script without the dash and both entries seem to be
added in but adprep still fails with the same error as Oct 7, 5:57 pm

C:\>ldifde -i -f rename.txt -v -c DC=X dc=stpeters,dc=qld,dc=edu,dc=au
Connecting to "svdcgc01.stpeters.qld.edu.au"
Logging in as current user using SSPI
Importing directory from file "rename.txt"
Loading entries
1: CN=unixID,CN=Schema,CN=Configuration,dc=stpeters,dc=qld,dc=edu,dc=au
Entry modified successfully.

2: CN=unixID,CN=Schema,CN=Configuration,dc=stpeters,dc=qld,dc=edu,dc=au
Entry modified successfully.


There is a syntax error in the input file
Failed on token starting with '1' on line 0
2 entries modified successfully.
An error has occurred in the program


I'm not sure since i took the dash out if

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1

would've ran.

 

[larry.mark]

I ran the undo script using: ldifde -i -f rename_undo.txt -v -c DC=X
dc=Y,dc=Z and got the following message:
Logging in as current user using SSPI
Importing directory from file "rename_undo.txt"
Loading entries
1: cn=x500uniqueIdentifier,CN=Schema,CN=Configuration,dc=X,dc=Y,dc=Z

Add error on line 5: No Such Object
The server side error is "Directory object not found."
0 entries modified successfully.
An error has occurred in the program


Any ideas?

Thanks,

Larry

 

[Taylor555]

Update:

Ok.

Bit of history.

4 of the fsmo roles were on DC#2 with the schema master role being on
DC#1.
in the test lab i made the testDC#1 hold all the FSMO roles, the update
worked fine in the test lab.

What i have done now is move the Schema role from DC#1 to DC#2 so DC#2
holds all the roles, after i moved it i did the IOP upgrade and then
tried adprep /forestprep... this time it worked perfect with no errors
at all.. adprep /domainprep also work perfect

i suspect there is something on DC#1 (which is the oldest DC in this
place...all other DC's have been rebuilt since) which is causing
everything to stuff up.

I'm now doing another ntbackup to backup the system state before i go
on and install win2k3.

 

[Ace Fekay [MVP]]

In

Update:

Ok.

Bit of history.

4 of the fsmo roles were on DC#2 with the schema master role being on
DC#1.
in the test lab i made the testDC#1 hold all the FSMO roles, the
update worked fine in the test lab.

What i have done now is move the Schema role from DC#1 to DC#2 so DC#2
holds all the roles, after i moved it i did the IOP upgrade and then
tried adprep /forestprep... this time it worked perfect with no errors
at all.. adprep /domainprep also work perfect

i suspect there is something on DC#1 (which is the oldest DC in this
place...all other DC's have been rebuilt since) which is causing
everything to stuff up.

I'm now doing another ntbackup to backup the system state before i go
on and install win2k3.

I actually assumed you ran this on the Schema Master, otherwise issues may
result.

Maybe DC1 is an overloaded machine? Were there any errors in the Event logs?

Ace