WARNING: Following this path can lead to irreversible Active Directory damage. Singlebrook Technology is not responsible for any damage caused by following this procedure. Proceed at your own risk!
A long time ago someone made some schema extensions to a client's Active Directory in an attempt to support *nix and OS X workstations. When it came time to upgrade the AD to Windows Server 2003, the old extensions were incompatible with the schema changes required for the upgrade. Running "adprep /forestprep" reported errors like:
----------------------
"isSingleValued" attribute value for objects defined in Windows 2000 schema and extended schema do not match.
A previous schema extension has defined the attribute value as "TRUE" for object "CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows 2003 server .
[Status/Consequence]
Adprep cannot extend your existing schema
[User Action]
Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.
----------------------
We followed the instructions in the MS KB article at http://support.microsoft.com/kb/887426/en-us to try to fix the problem, but we got hung up because the isSingleValued and attributeSyntax attributes of the x500uniqueIdentifier object could not be modified. When we tried, used the ldifde or ADSIedit.msc tools, we got an error: "The attribute cannot be modified because it is owned by the system."
I won't bore you with the details, but in this case the solution was to create a registry key that allows you to change system-only attributes:
In HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters, create the following value:
Value name: Allow System Only Change
Data type: REG_DWORD
Value data: 1
Once we created that, we were able to change the attributes without trouble and run "adprep /forestprep" successfully. We hope that this post saves someone else some trouble!
Tuesday, October 9, 2007
Subscribe to:
Post Comments (Atom)
1 comments:
Nice guide but as you've said, this can be risky. Active Directory is a pretty nice implementation of the directory service but still it is a... mmm how to put it better... a thing that is now very user friendly as its main goal is to be fast and be able to effectively store an overwhelming amount of data regarding the network structure and all the elements registered within the environment. It should provide for the scalability, security, data integrity and compliance. These are the things it manages quite well. We have several sites and we must say that even with a planned replication the environment functions magically. Still it's sometimes very hard to find out what caused the problem even when using the replmon or something of that kind. And you know how hard it becomes to manage it when you need to tweak some security settings there, add an attribute to the schema because an application you need to run requires making changes to the schema. Of course, we know that the golden rule is "make a backup before it's too late". But as it's often the case knowing and doing don't go along for you sometimes. I remember I needed to add security settings for the GPO object and purge some unneeded stuff from Active Directory and I mistakenly applied wrong permissions and deleted wrong GPO so then it was bye-bye Kansas City… Odd thing, I always persuade myself to make backups prior to making changes to Active Directory but this is always all time. You don't have time to make a backup because you or your users need it now. I wish I had a thing that would repair Active Directory security settings automatically. Something like these two watchdog threads in Windows do that prevent you from changing registry parameters in registry. I dreamed to get the functionality that would be a jot closer to what I need. Recently I came across a tool that works like a swiss-army knife for everything about Active Directory. It's Active Administrator from Scriptlogic. I am excited to test it on a more tough setup but after a vigorous testing on my buggy Active Directory that I use to test things in virtual environment I may say that I already love it and especially its audit function. But not only that. As I said, it can monitor security settings and revert any changes made to it always setting back these settings which I defined for them based on my needs. Fantastic. I'll keep working with it more as the tool has pretty long trial period, long enough for me to be able to get some more bucks from our boss and purchase the tool for our guys.
Post a Comment