WilsonJ
asked on
adprep /forestprep There is a schema conflict with Exchange 2000
Hi Guys,
I'm adding a new windows 2k3 server to my 2k windows domain i want the new server to be a DC
When i ran /forestprep i got the follwing error
"Adprep was unable to extend the schema.
[Status/Consequence]
There is a schema conflict with Exchange 2000. The schema is not updated.
[User Action]
The schema conflict must be resolved before running adprep. Resolve the schema conflict, allow the change to replicate between all replication partners, and then run Adprep. For information on resolving the conflict, see Microsoft Knowledge
Base article Q325379."
I have a windows 2000 SP4 server which is the main domain controller as well as the schema master
I have a separate windows 2000 SP4 server which has exchange 2000 and is a BDC
I have another Windows 2000 SP4 server which is just a member server
There is windows 2003 server SP1 which is just a member server no AD in it.
And the new windows 2003 SP1 server which I want to make a DC
After i got the above error i did some reading and found some articles covering from InetOrgPerson to Mangled Attributes in windows 2000 forest
Here is what I have tried
Microsoft Article ID : 324392
Enhancements to Adprep.exe in Windows Server 2003 Service Pack 1 and in hotfix 324392
I'm using what i beleive is the latest adprep from the windows server 2003 SP1 Disc
adprep.exe 432KB (442,880bytes) March 25 2005 7:00:00 AM
the error message directs me to see article Q325379 which is no longer available instead shows article 324392
I read this article from beginning to end and do not see a solution other that running InetOrgPerson Fix.
Microsoft Article ID : 314649
Windows Server 2003 adprep/forestprep command causes mangled attributes in windows 2000 forest containing exchange 2000 servers
In this article there were three scenarios and i tried number 2 and 3 here is what microsoft said in the 2 scenarios I'm not sure if i'm doing something wrong with this procedures or if there is something wrong elsewhere but i still get the same original error.
I don't even see any records being mangled in the schema
Any help would appreciated.
Wilson J
************************** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ******
Microsoft Article ID : 314649
Scenario 2: Exchange 2000 Schema Changes Are Installed Before You Run the Windows Server 2003 adprep /forestprep Command
If Exchange 2000 schema changes have already been installed, but you have not run the adprep /forestprep command in Windows Server 2003, consider the following action plan: 1. Log on to the console of the schema operations master by using an account that is a member of the schema administrators enterprise administrators groups.
2. Enable Schema Updates on the schema master. For additional information about how to permit updates to the Active Directory schema, click the following article number to view the article in the Microsoft Knowledge Base:
285172 (http://support.microsoft.com/kb/285172/EN-US/) Schema Updates Require Write Access to Schema in Active Directory
3. Click Start, click Run, type notepad.exe, and then click OK.
4. Copy the following text that appears between [start copy here] and [end copy here] (including the trailing "-" characters), and then paste this text into Notepad.
[start copy here]
dn: CN=ms-Exch-Assistant-Name, CN=Schema, CN=Configu ration,DC= X
changetype: Modify
replace: lDAPDisplayName
lDAPDisplayName: msExchAssistantName
-
dn: CN=ms-Exch-LabeledURI,CN=S chema,CN=C onfigurati on,DC=X
changetype: Modify
replace: lDAPDisplayName
lDAPDisplayName: msExchLabeledURI
-
dn: CN=ms-Exch-House-Identifie r,CN=Schem a,CN=Confi guration,D C=X
changetype: Modify
replace: lDAPDisplayName
lDAPDisplayName: msExchHouseIdentifier
-
dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
[end copy here]
5. Save the contents of the Notepad file as %systemdrive%\IOP\Inetorgp ersonpreve nt.ldf (where %systemdrive% is the logical drive that is hosting the Windows 2000 operating system and \IOP is a folder that you create in the Save dialog box of Notepad. Quit Notepad.
6. Run the InetOrgPersonPrevent.ldf script: a. Click Start, click Run, type cmd, and then click OK.
b. At a command prompt, type :
cd %systemdrive%\iop
and then press ENTER.
c. Type the following command:
ldifde -i -f inetorgpersonprevent.ldf -v -c DC=X "dn path for forest root domain"
where X is a case-sensitive constant and dn path for forest root domain is the domain name path for the root domain of the forest enclosed in quotation marks ("dc=corp,dc=tailspintoys, dc=com") is the domain name path for the root domain of the forest. (Include the quotation marks.) Press ENTER.
7. Verify that the LDAPDisplaynames for the CN=ms-Exch-Assistant-Name, the CN=ms-Exch-LabeledURI, and the CN=ms-Exch-House-Identifie r attributes in the schema naming context now appear as msExchAssistantName, msExchLabeledURI, and msExchHouseIdentifier before you run the Windows Server 2003 adprep /forestprep command.
8. Run the adprep /forestprep command and the /domainprep command.
For more information, view the "Overview: Upgrading Windows 2000 Domain Controllers to Windows Server2003" section of the following Microsoft Knowledge Base article:
325379 (http://support.microsoft.com/kb/325379/) How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003
************************** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ******
Scenario 3: You Did Not Run InetOrgPersonfix Before You Ran the Windows Server 2003 adprep /forestprep Command
If you run the Windows Server 2003 adprep /forestprep command in a Windows 2000 forest that contains the Exchange 2000 schema changes, the LdapDisplayname attributes for houseIdentier, Secretary, and labeledURI become mangled. To identify mangled names, use Ldp.exe to locate the affected attributes: 1. Install Ldp.exe from the Support\Tools folder of the Windows 2000 or the Windows Server 2003 media.
2. Start Ldp.exe from a domain controller or a member computer in the forest. a. On the Connection menu, click Connect, leave the Server box empty, type 389 in the Port box, and then click OK.
b. On the Connection menu, click Bind, leave all the boxes empty, and then click OK.
3. Record the distinguished name path for the SchemaNamingContext attribute.
For example, for a domain controller in the CORP.ADATUM.COM forest, the distinguished name path would be CN=Schema,CN=Configuration ,DC=corp,D C=adatum,D C=com.
4. On the Browse menu, click Search.
5. Configure the following settings: • Base DN: Type the distinguished name path for the schema naming context that is identified in step 3.
• Filter: Type (ldapdisplayname=dup*).
• Scope: Click Subtree.
6. Mangled HouseIdentifier, Secretary, and LabeledURI attributes have LDAPDisplayName attributes that are similar to the following format:
lDAPDisplayName: DUP-labeledURI-9591bbd3-d2 a6-4669-af da-48af7c3 5507d;
lDAPDisplayName: DUP-secretary-c5a1240d-70c 0-455c-990 6-a4070602 f85f
lDAPDisplayName: DUP-houseIdentifier-354b0c a8-9b6c-47 22-aae7-e6 6906cc9eef
If the LDAP Display names for LabeledURI, Secretary and HouseIdentifier were mangled, run the Windows Server 2003 InetOrgPersonfix.ldf script to recover:a. Create a folder named %Systemdrive%\IOP, and then extract the InetOrgPersonfix.ldf file to this folder.
b. At a command prompt, type cd %systemdrive%\iop, and then press ENTER.
c. Extract the InetOrgPersonfix.ldf file from the Support.cab file that is located in the Support\Tools folder of the Windows Server 2003 installation media.
d. From the console of the schema operations master, load the InetOrgPersonfix.ldf file by using Ldifde.exe to correct the LdapDisplayName attribute of the houseIdentifier, the Secretary, and the labeledURI attributes. To do this, type the following command, where X is a case-sensitive constant and dn path for forest root domain is the domain name path for the root domain of the forest wrapped in quotation marks:
ldifde -i -f inetorgpersonfix.ldf -v -c DC=X "dn path for forest root domain"
7. Verify that the houseIdentifier, the Secretary, and the labeledURI attributes in the schema naming context are not mangled.
8. Use Winnnt32.exe to upgrade the Windows 2000 domain controllers.
For additional information about how to upgrade a Windows 2000 domain controller with Winnt32.exe, click the following article number to view the article in the Microsoft Knowledge Base:
325379 (http://support.microsoft.com/kb/325379/EN-US/) How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003
************************** ********** ********** ********** ********** ********** ********** ********** **********
************************** ********** ********** ********** ********** ********** ********** ********** **********
I'm adding a new windows 2k3 server to my 2k windows domain i want the new server to be a DC
When i ran /forestprep i got the follwing error
"Adprep was unable to extend the schema.
[Status/Consequence]
There is a schema conflict with Exchange 2000. The schema is not updated.
[User Action]
The schema conflict must be resolved before running adprep. Resolve the schema conflict, allow the change to replicate between all replication partners, and then run Adprep. For information on resolving the conflict, see Microsoft Knowledge
Base article Q325379."
I have a windows 2000 SP4 server which is the main domain controller as well as the schema master
I have a separate windows 2000 SP4 server which has exchange 2000 and is a BDC
I have another Windows 2000 SP4 server which is just a member server
There is windows 2003 server SP1 which is just a member server no AD in it.
And the new windows 2003 SP1 server which I want to make a DC
After i got the above error i did some reading and found some articles covering from InetOrgPerson to Mangled Attributes in windows 2000 forest
Here is what I have tried
Microsoft Article ID : 324392
Enhancements to Adprep.exe in Windows Server 2003 Service Pack 1 and in hotfix 324392
I'm using what i beleive is the latest adprep from the windows server 2003 SP1 Disc
adprep.exe 432KB (442,880bytes) March 25 2005 7:00:00 AM
the error message directs me to see article Q325379 which is no longer available instead shows article 324392
I read this article from beginning to end and do not see a solution other that running InetOrgPerson Fix.
Microsoft Article ID : 314649
Windows Server 2003 adprep/forestprep command causes mangled attributes in windows 2000 forest containing exchange 2000 servers
In this article there were three scenarios and i tried number 2 and 3 here is what microsoft said in the 2 scenarios I'm not sure if i'm doing something wrong with this procedures or if there is something wrong elsewhere but i still get the same original error.
I don't even see any records being mangled in the schema
Any help would appreciated.
Wilson J
**************************
Microsoft Article ID : 314649
Scenario 2: Exchange 2000 Schema Changes Are Installed Before You Run the Windows Server 2003 adprep /forestprep Command
If Exchange 2000 schema changes have already been installed, but you have not run the adprep /forestprep command in Windows Server 2003, consider the following action plan: 1. Log on to the console of the schema operations master by using an account that is a member of the schema administrators enterprise administrators groups.
2. Enable Schema Updates on the schema master. For additional information about how to permit updates to the Active Directory schema, click the following article number to view the article in the Microsoft Knowledge Base:
285172 (http://support.microsoft.com/kb/285172/EN-US/) Schema Updates Require Write Access to Schema in Active Directory
3. Click Start, click Run, type notepad.exe, and then click OK.
4. Copy the following text that appears between [start copy here] and [end copy here] (including the trailing "-" characters), and then paste this text into Notepad.
[start copy here]
dn: CN=ms-Exch-Assistant-Name,
changetype: Modify
replace: lDAPDisplayName
lDAPDisplayName: msExchAssistantName
-
dn: CN=ms-Exch-LabeledURI,CN=S
changetype: Modify
replace: lDAPDisplayName
lDAPDisplayName: msExchLabeledURI
-
dn: CN=ms-Exch-House-Identifie
changetype: Modify
replace: lDAPDisplayName
lDAPDisplayName: msExchHouseIdentifier
-
dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
[end copy here]
5. Save the contents of the Notepad file as %systemdrive%\IOP\Inetorgp
6. Run the InetOrgPersonPrevent.ldf script: a. Click Start, click Run, type cmd, and then click OK.
b. At a command prompt, type :
cd %systemdrive%\iop
and then press ENTER.
c. Type the following command:
ldifde -i -f inetorgpersonprevent.ldf -v -c DC=X "dn path for forest root domain"
where X is a case-sensitive constant and dn path for forest root domain is the domain name path for the root domain of the forest enclosed in quotation marks ("dc=corp,dc=tailspintoys,
7. Verify that the LDAPDisplaynames for the CN=ms-Exch-Assistant-Name,
8. Run the adprep /forestprep command and the /domainprep command.
For more information, view the "Overview: Upgrading Windows 2000 Domain Controllers to Windows Server2003" section of the following Microsoft Knowledge Base article:
325379 (http://support.microsoft.com/kb/325379/) How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003
**************************
Scenario 3: You Did Not Run InetOrgPersonfix Before You Ran the Windows Server 2003 adprep /forestprep Command
If you run the Windows Server 2003 adprep /forestprep command in a Windows 2000 forest that contains the Exchange 2000 schema changes, the LdapDisplayname attributes for houseIdentier, Secretary, and labeledURI become mangled. To identify mangled names, use Ldp.exe to locate the affected attributes: 1. Install Ldp.exe from the Support\Tools folder of the Windows 2000 or the Windows Server 2003 media.
2. Start Ldp.exe from a domain controller or a member computer in the forest. a. On the Connection menu, click Connect, leave the Server box empty, type 389 in the Port box, and then click OK.
b. On the Connection menu, click Bind, leave all the boxes empty, and then click OK.
3. Record the distinguished name path for the SchemaNamingContext attribute.
For example, for a domain controller in the CORP.ADATUM.COM forest, the distinguished name path would be CN=Schema,CN=Configuration
4. On the Browse menu, click Search.
5. Configure the following settings: • Base DN: Type the distinguished name path for the schema naming context that is identified in step 3.
• Filter: Type (ldapdisplayname=dup*).
• Scope: Click Subtree.
6. Mangled HouseIdentifier, Secretary, and LabeledURI attributes have LDAPDisplayName attributes that are similar to the following format:
lDAPDisplayName: DUP-labeledURI-9591bbd3-d2
lDAPDisplayName: DUP-secretary-c5a1240d-70c
lDAPDisplayName: DUP-houseIdentifier-354b0c
If the LDAP Display names for LabeledURI, Secretary and HouseIdentifier were mangled, run the Windows Server 2003 InetOrgPersonfix.ldf script to recover:a. Create a folder named %Systemdrive%\IOP, and then extract the InetOrgPersonfix.ldf file to this folder.
b. At a command prompt, type cd %systemdrive%\iop, and then press ENTER.
c. Extract the InetOrgPersonfix.ldf file from the Support.cab file that is located in the Support\Tools folder of the Windows Server 2003 installation media.
d. From the console of the schema operations master, load the InetOrgPersonfix.ldf file by using Ldifde.exe to correct the LdapDisplayName attribute of the houseIdentifier, the Secretary, and the labeledURI attributes. To do this, type the following command, where X is a case-sensitive constant and dn path for forest root domain is the domain name path for the root domain of the forest wrapped in quotation marks:
ldifde -i -f inetorgpersonfix.ldf -v -c DC=X "dn path for forest root domain"
7. Verify that the houseIdentifier, the Secretary, and the labeledURI attributes in the schema naming context are not mangled.
8. Use Winnnt32.exe to upgrade the Windows 2000 domain controllers.
For additional information about how to upgrade a Windows 2000 domain controller with Winnt32.exe, click the following article number to view the article in the Microsoft Knowledge Base:
325379 (http://support.microsoft.com/kb/325379/EN-US/) How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003
**************************
**************************
Exactly as above the issues are replication issues. I had this issue once and what I did was assured that the 2 could reach each other via dns
ASKER
Well I think we are in the right track here, when i checked the event log on the BDC this what i got (read below) there are no events regarding file replication errors on the PDC.
I need some guidance on how to force a replication and diagnose that everything is correct on both domain controllers, i'm not sure what are the steps to follow.
Thanks for your help
******************
My event log in the BDC
******************
The File Replication Service is having trouble enabling replication from PDC to BDC C:\winnt\sysvol\domain using the DNS name PDCSERVERNAME.domainname.c om. FRS will keep retrying.
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name PDCSERVERNAME.domainname.c om. from this computer.
[2] FRS is not running on PDCSERVERNAME.domainname.c om..
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
I need some guidance on how to force a replication and diagnose that everything is correct on both domain controllers, i'm not sure what are the steps to follow.
Thanks for your help
******************
My event log in the BDC
******************
The File Replication Service is having trouble enabling replication from PDC to BDC C:\winnt\sysvol\domain using the DNS name PDCSERVERNAME.domainname.c
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name PDCSERVERNAME.domainname.c
[2] FRS is not running on PDCSERVERNAME.domainname.c
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
Make sure that the first defined DNS Server setting in TCP/IP Settings
points to an internal DNS server (Windows 2000 DC)
Make sure domainname.com exists and is active directory integrated.
Make sure that domainname.com accepts dynamic updates.
On each DC do the following
start->run
IPConfig /All (Confirm first DNS Server IP)
IPConfig /FlushDNS
IPConfig /RegisterDNS
net stop netlogon
net start netlogon
Force replication by using The "Active Directory Sites and Services" snap in.
Expand "Default-First-Site-Name"- >Servers-> ServerName ->NTDS Settings
Right Click on "NTDS Setting"
Click on Check Replication Topology.
On the "NTDS Settings" Object
Right click on "<automatically generated>"
and select "replicate now"
Repeat for other servers in the site.
Then run the InetOrgPersonfix tool
Then the updated ADPrep /Forestprep
and ADPrep /DomainPrep
points to an internal DNS server (Windows 2000 DC)
Make sure domainname.com exists and is active directory integrated.
Make sure that domainname.com accepts dynamic updates.
On each DC do the following
start->run
IPConfig /All (Confirm first DNS Server IP)
IPConfig /FlushDNS
IPConfig /RegisterDNS
net stop netlogon
net start netlogon
Force replication by using The "Active Directory Sites and Services" snap in.
Expand "Default-First-Site-Name"-
Right Click on "NTDS Setting"
Click on Check Replication Topology.
On the "NTDS Settings" Object
Right click on "<automatically generated>"
and select "replicate now"
Repeat for other servers in the site.
Then run the InetOrgPersonfix tool
Then the updated ADPrep /Forestprep
and ADPrep /DomainPrep
Hi,
I faced a problem once of AD replication between 2 DCs and in that case the DNS and the name resolution was working perfectly fine. So even if DNS is fine sometimes AD replication issues arise if the secure channel between the DCs is broken. In my case that was the problem, following solution worked for me. It restores the secure channel between DCs and then initiates the AD replication.
-->Stop KDC service
-->Disable KDC service
-->Reboot server
-->Execute following command
netdom resetpwd /server:<servername> /userd:<domain\user> /passwordd:<password>
-->Reboot server
-->Set KDC to automatic
-->Start KDC
Netdom.exe is available on W2K3 CD or download it from internet.
Refer: http://support.microsoft.com/default.aspx?scid=kb;en-us;288167
I faced a problem once of AD replication between 2 DCs and in that case the DNS and the name resolution was working perfectly fine. So even if DNS is fine sometimes AD replication issues arise if the secure channel between the DCs is broken. In my case that was the problem, following solution worked for me. It restores the secure channel between DCs and then initiates the AD replication.
-->Stop KDC service
-->Disable KDC service
-->Reboot server
-->Execute following command
netdom resetpwd /server:<servername> /userd:<domain\user> /passwordd:<password>
-->Reboot server
-->Set KDC to automatic
-->Start KDC
Netdom.exe is available on W2K3 CD or download it from internet.
Refer: http://support.microsoft.com/default.aspx?scid=kb;en-us;288167
ASKER
First I want to thank everybody who is participating in helping me resolve this issue.
and i'm sorry for my slow response but there was a lot to test, to try and to of course document.
Lots of reading guys :0
I tried your suggestion (Nyaema)
****Make sure that the first defined DNS Server setting in TCP/IP Settings ****
****points to an internal DNS server (Windows 2000 DC)******
Here is the TCP/IP configuration of the main DC i'm a bit counfused with the cofiguration. I have two NIC's enable
The main server has a fix IP as it should .
First NIC
IP 192.168.1.2
SM 255.255.255.0
DG 192.168.1.1 (which is my firewall router)
This is the confusing part for me. the Primary DNS Server is pointing to 127.0.0.1 and there is nothing on the Secondary DNS
I'm not sure but this setting must be correct since I have never change anything and everything else is working fine.
Second NIC
IP 10.0.0.1
SM 255.255.255.0
DG 192.168.1.1
PDNS 127.0.0.1
On the other DC the one wth Exchange 2000 here are the settings
Only one NIC enable
IP 192.168.1.3
SM 255.255.255.0
DG 192.168.1.1
PDNS 192.168.1.3 why is it pointing to itself ????????????????? Again this setting has never change
************************** ********** ********** *********
************************** ********** ********** *********
On your second suggestion.
****Make sure domainname.com exists and is active directory integrated.
****Make sure that domainname.com accepts dynamic updates.
I checked the DNS settings and look into the forward lookup zones the name of our domain is there the type is ActiveDirectory-Integrated , the Status is Active.
In the Accept dynamic updates is set to Only Secure Updates.
*****Then I ran the other 8 steps*****
IPConfig /FlushDNS
IPConfig /RegisterDNS
net stop netlogon
net start netlogon
Force replication
Check Replication Topology.
On the "NTDS Settings" Object
Right click on "<automatically generated>"
and select "replicate now"
Repeat for other servers in the site.
Everything worked without errors BUT
When I tried to run the InetOrgPersonFix tool I'm getting an error and there are no mangle records. Below are the errors i got,
i'm not sure if i'm making a mistake in the syntax of the Schema Name Context i ran it in different ways as you will see below
One thing i noticed since i was not sure if the syntax was right i put a period at the end of the schema context inside the quotes and that gave me an error of (Add error on line 3: Referral) and when i did not use the period i got an (Add error on line 3: No Such Object)
I use the instructions on Microsoft Article 314649 to run the inetorgpersonfix.ldf page 3 specifies the command
I hope this can give you guys a better idea of what's happening.
If the syntax is correct and there are no mangled records then I would try what rajeshgkamath has suggested the only problem is that i don't think i'll be able to reboot the server until tonight, or i might have to wait for the weekend.
One more thing i noticed is that, when i update and forced the replication i checked the event viewer in both servers and there are no new logs telling me that it is running or that it is NOT. That was a bit frustrating.
Again Thanks for your help.
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Documents and Settings\Administrator>CD\
C:\>CD IOP
C:\Iop>ldifde -i -f inetorgpersonfix.ldf -v -c DC=X "DC=servername,DC=domainna me,DC=com"
Connecting to "servername.domainname.com "
Logging in as current user using SSPI
Importing directory from file "inetorgpersonfix.ldf"
Loading entries
1: CN=secretary,CN=Schema,CN= Configurat ion,DC=ser vername,DC =domainnam e,DC=com
Add error on line 3: No Such Object
The server side error is "Directory object not found."
0 entries modified successfully.
An error has occurred in the program
C:\Iop>ldifde -i -f inetorgpersonfix.ldf -v -c DC=X "DC=servername,DC=domainna me,DC=com. "
Connecting to "servername.domainname.com "
Logging in as current user using SSPI
Importing directory from file "inetorgpersonfix.ldf"
Loading entries
1: CN=secretary,CN=Schema,CN= Configurat ion,DC=ser vername,DC =domainnam e,DC=com.
Add error on line 3: Referral
The server side error is "A referral was returned from the server."
0 entries modified successfully.
An error has occurred in the program
C:\Iop>ldifde -i -f inetorgpersonfix.ldf -v -c DC=X "DC=domainname,DC=com."
Connecting to "servername.domainname.com "
Logging in as current user using SSPI
Importing directory from file "inetorgpersonfix.ldf"
Loading entries
1: CN=secretary,CN=Schema,CN= Configurat ion,DC=dom ainname,DC =com.
Add error on line 3: Referral
The server side error is "A referral was returned from the server."
0 entries modified successfully.
An error has occurred in the program
C:\Iop>ldifde -i -f inetorgpersonfix.ldf -v -c DC=X "CN=secretary,CN=Schema,CN =C
onfiguration,DC=servername ,DC=domain name,DC=co m."
Connecting to "servername.domainname.com "
Logging in as current user using SSPI
Importing directory from file "inetorgpersonfix.ldf"
Loading entries
1: CN=secretary,CN=Schema,CN= Configurat ion,CN=sec retary,CN= Schema,CN= Configurat i
on,DC=servername,DC=domain name,DC=co m.
Add error on line 3: Referral
The server side error is "A referral was returned from the server."
0 entries modified successfully.
An error has occurred in the program
C:\Iop>ldifde -i -f inetorgpersonfix.ldf -v -c DC=X "CN=secretary,CN=Schema,CN =C
onfiguration,DC=servername ,DC=domain name,DC=co m"
Connecting to "servername.domainname.com "
Logging in as current user using SSPI
Importing directory from file "inetorgpersonfix.ldf"
Loading entries
1: CN=secretary,CN=Schema,CN= Configurat ion,CN=sec retary,CN= Schema,CN= Configurat i
on,DC=servername,DC=domain name,DC=co m
Add error on line 3: No Such Object
The server side error is "Directory object not found."
0 entries modified successfully.
An error has occurred in the program
C:\Iop>ldifde -i -f inetorgpersonfix.ldf -v -c DC=X "CN=secretary,CN=Schema,CN =Configura tion,DC=se rvername,D C=domainna me,DC=com"
Connecting to "servername.domainname.com "
Logging in as current user using SSPI
Importing directory from file "inetorgpersonfix.ldf"
Loading entries
1: CN=secretary,CN=Schema,CN= Configurat ion,CN=sec retary,CN= Schema,CN= Configurat ion,DC=ser vername,DC =domainnam e,DC=com
Add error on line 3: No Such Object
The server side error is "Directory object not found."
0 entries modified successfully.
An error has occurred in the program
C:\Iop>ldifde -i -f inetorgpersonfix.ldf -v -c DC=X "CN=Schema,CN=Configuratio n,
DC=servername,DC=domainnam e,DC=com"
Connecting to "servername.domainname.com "
Logging in as current user using SSPI
Importing directory from file "inetorgpersonfix.ldf"
Loading entries
1: CN=secretary,CN=Schema,CN= Configurat ion,CN=Sch ema,CN=Con figuration ,DC=server nameL,DC=d omainname, DC=com
Add error on line 3: No Such Object
The server side error is "Directory object not found."
0 entries modified successfully.
An error has occurred in the program
C:\Iop>
and i'm sorry for my slow response but there was a lot to test, to try and to of course document.
Lots of reading guys :0
I tried your suggestion (Nyaema)
****Make sure that the first defined DNS Server setting in TCP/IP Settings ****
****points to an internal DNS server (Windows 2000 DC)******
Here is the TCP/IP configuration of the main DC i'm a bit counfused with the cofiguration. I have two NIC's enable
The main server has a fix IP as it should .
First NIC
IP 192.168.1.2
SM 255.255.255.0
DG 192.168.1.1 (which is my firewall router)
This is the confusing part for me. the Primary DNS Server is pointing to 127.0.0.1 and there is nothing on the Secondary DNS
I'm not sure but this setting must be correct since I have never change anything and everything else is working fine.
Second NIC
IP 10.0.0.1
SM 255.255.255.0
DG 192.168.1.1
PDNS 127.0.0.1
On the other DC the one wth Exchange 2000 here are the settings
Only one NIC enable
IP 192.168.1.3
SM 255.255.255.0
DG 192.168.1.1
PDNS 192.168.1.3 why is it pointing to itself ????????????????? Again this setting has never change
**************************
**************************
On your second suggestion.
****Make sure domainname.com exists and is active directory integrated.
****Make sure that domainname.com accepts dynamic updates.
I checked the DNS settings and look into the forward lookup zones the name of our domain is there the type is ActiveDirectory-Integrated
In the Accept dynamic updates is set to Only Secure Updates.
*****Then I ran the other 8 steps*****
IPConfig /FlushDNS
IPConfig /RegisterDNS
net stop netlogon
net start netlogon
Force replication
Check Replication Topology.
On the "NTDS Settings" Object
Right click on "<automatically generated>"
and select "replicate now"
Repeat for other servers in the site.
Everything worked without errors BUT
When I tried to run the InetOrgPersonFix tool I'm getting an error and there are no mangle records. Below are the errors i got,
i'm not sure if i'm making a mistake in the syntax of the Schema Name Context i ran it in different ways as you will see below
One thing i noticed since i was not sure if the syntax was right i put a period at the end of the schema context inside the quotes and that gave me an error of (Add error on line 3: Referral) and when i did not use the period i got an (Add error on line 3: No Such Object)
I use the instructions on Microsoft Article 314649 to run the inetorgpersonfix.ldf page 3 specifies the command
I hope this can give you guys a better idea of what's happening.
If the syntax is correct and there are no mangled records then I would try what rajeshgkamath has suggested the only problem is that i don't think i'll be able to reboot the server until tonight, or i might have to wait for the weekend.
One more thing i noticed is that, when i update and forced the replication i checked the event viewer in both servers and there are no new logs telling me that it is running or that it is NOT. That was a bit frustrating.
Again Thanks for your help.
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Documents and Settings\Administrator>CD\
C:\>CD IOP
C:\Iop>ldifde -i -f inetorgpersonfix.ldf -v -c DC=X "DC=servername,DC=domainna
Connecting to "servername.domainname.com
Logging in as current user using SSPI
Importing directory from file "inetorgpersonfix.ldf"
Loading entries
1: CN=secretary,CN=Schema,CN=
Add error on line 3: No Such Object
The server side error is "Directory object not found."
0 entries modified successfully.
An error has occurred in the program
C:\Iop>ldifde -i -f inetorgpersonfix.ldf -v -c DC=X "DC=servername,DC=domainna
Connecting to "servername.domainname.com
Logging in as current user using SSPI
Importing directory from file "inetorgpersonfix.ldf"
Loading entries
1: CN=secretary,CN=Schema,CN=
Add error on line 3: Referral
The server side error is "A referral was returned from the server."
0 entries modified successfully.
An error has occurred in the program
C:\Iop>ldifde -i -f inetorgpersonfix.ldf -v -c DC=X "DC=domainname,DC=com."
Connecting to "servername.domainname.com
Logging in as current user using SSPI
Importing directory from file "inetorgpersonfix.ldf"
Loading entries
1: CN=secretary,CN=Schema,CN=
Add error on line 3: Referral
The server side error is "A referral was returned from the server."
0 entries modified successfully.
An error has occurred in the program
C:\Iop>ldifde -i -f inetorgpersonfix.ldf -v -c DC=X "CN=secretary,CN=Schema,CN
onfiguration,DC=servername
Connecting to "servername.domainname.com
Logging in as current user using SSPI
Importing directory from file "inetorgpersonfix.ldf"
Loading entries
1: CN=secretary,CN=Schema,CN=
on,DC=servername,DC=domain
Add error on line 3: Referral
The server side error is "A referral was returned from the server."
0 entries modified successfully.
An error has occurred in the program
C:\Iop>ldifde -i -f inetorgpersonfix.ldf -v -c DC=X "CN=secretary,CN=Schema,CN
onfiguration,DC=servername
Connecting to "servername.domainname.com
Logging in as current user using SSPI
Importing directory from file "inetorgpersonfix.ldf"
Loading entries
1: CN=secretary,CN=Schema,CN=
on,DC=servername,DC=domain
Add error on line 3: No Such Object
The server side error is "Directory object not found."
0 entries modified successfully.
An error has occurred in the program
C:\Iop>ldifde -i -f inetorgpersonfix.ldf -v -c DC=X "CN=secretary,CN=Schema,CN
Connecting to "servername.domainname.com
Logging in as current user using SSPI
Importing directory from file "inetorgpersonfix.ldf"
Loading entries
1: CN=secretary,CN=Schema,CN=
Add error on line 3: No Such Object
The server side error is "Directory object not found."
0 entries modified successfully.
An error has occurred in the program
C:\Iop>ldifde -i -f inetorgpersonfix.ldf -v -c DC=X "CN=Schema,CN=Configuratio
DC=servername,DC=domainnam
Connecting to "servername.domainname.com
Logging in as current user using SSPI
Importing directory from file "inetorgpersonfix.ldf"
Loading entries
1: CN=secretary,CN=Schema,CN=
Add error on line 3: No Such Object
The server side error is "Directory object not found."
0 entries modified successfully.
An error has occurred in the program
C:\Iop>
Hi Wilson J,
The DNS settings are set to point to self because the Server is a DC and holds
a copy of a active directory integrated zone.
To avoid replication probelms do the following
Change the DNS settings on the The main server as follows .
First NIC
IP 192.168.1.2
SM 255.255.255.0
DG 192.168.1.1 (which is my firewall router)
PDNS 192.168.0.2
Second NIC
IP 10.0.0.1
SM 255.255.255.0
DG 192.168.1.1
No DNS
Disable the "Register this connections addresses in DNS" in Advanced->DNS
(This could have been the cause of replication problems
because 10.0.0.1 is the registered host name in DNS for the primar server.
Look for the host record with 10.0.0.1 in DNs and delete it.
On the other DC the one wth Exchange 2000 point it to the Main Server
IP 192.168.1.3
SM 255.255.255.0
DG 192.168.1.1
PDNS 192.168.1.2
You are entering the wrong parameters for the ldifde command
C:\Iop>ldifde -i -f inetorgpersonfix.ldf -v -c DC=X "DC=servername,DC=domainna me,DC=com"
Servername should not be included in the domain parameter.
The correct command line should look like this...
C:\Iop>ldifde -i -f inetorgpersonfix.ldf -v -c DC=X "DC=domainname,DC=com"
The DNS settings are set to point to self because the Server is a DC and holds
a copy of a active directory integrated zone.
To avoid replication probelms do the following
Change the DNS settings on the The main server as follows .
First NIC
IP 192.168.1.2
SM 255.255.255.0
DG 192.168.1.1 (which is my firewall router)
PDNS 192.168.0.2
Second NIC
IP 10.0.0.1
SM 255.255.255.0
DG 192.168.1.1
No DNS
Disable the "Register this connections addresses in DNS" in Advanced->DNS
(This could have been the cause of replication problems
because 10.0.0.1 is the registered host name in DNS for the primar server.
Look for the host record with 10.0.0.1 in DNs and delete it.
On the other DC the one wth Exchange 2000 point it to the Main Server
IP 192.168.1.3
SM 255.255.255.0
DG 192.168.1.1
PDNS 192.168.1.2
You are entering the wrong parameters for the ldifde command
C:\Iop>ldifde -i -f inetorgpersonfix.ldf -v -c DC=X "DC=servername,DC=domainna
Servername should not be included in the domain parameter.
The correct command line should look like this...
C:\Iop>ldifde -i -f inetorgpersonfix.ldf -v -c DC=X "DC=domainname,DC=com"
After running the other 8 steps
Set the DCs to point to each other
First NIC
IP 192.168.1.2
SM 255.255.255.0
DG 192.168.1.1 (which is my firewall router)
PDNS 192.168.0.3
SDNS 192.168.0.2
Second NIC
IP 10.0.0.1
SM 255.255.255.0
DG 192.168.1.1
No DNS
Disable the "Register this connections addresses in DNS" in Advanced->DNS
(This could have been the cause of replication problems
because 10.0.0.1 is the registered host name in DNS for the primar server.
Look for the host record with 10.0.0.1 in DNs and delete it.
On the other DC the one wth Exchange 2000 point it to the Main Server
IP 192.168.1.3
SM 255.255.255.0
DG 192.168.1.1
PDNS 192.168.1.2
SDNS 192.168.0.3
If the Primary DNS the secondary is used
The servers point to each other to avoid causing an island.
(that is a situation where the servers only update themselves
and the changes are not replicated to each other)
Set the DCs to point to each other
First NIC
IP 192.168.1.2
SM 255.255.255.0
DG 192.168.1.1 (which is my firewall router)
PDNS 192.168.0.3
SDNS 192.168.0.2
Second NIC
IP 10.0.0.1
SM 255.255.255.0
DG 192.168.1.1
No DNS
Disable the "Register this connections addresses in DNS" in Advanced->DNS
(This could have been the cause of replication problems
because 10.0.0.1 is the registered host name in DNS for the primar server.
Look for the host record with 10.0.0.1 in DNs and delete it.
On the other DC the one wth Exchange 2000 point it to the Main Server
IP 192.168.1.3
SM 255.255.255.0
DG 192.168.1.1
PDNS 192.168.1.2
SDNS 192.168.0.3
If the Primary DNS the secondary is used
The servers point to each other to avoid causing an island.
(that is a situation where the servers only update themselves
and the changes are not replicated to each other)
ASKER
Ok i did the changes to the tcp/ip and the dns in both DC's
I ran the 8 steps no errors whatsoever
but when get to that inetorgpersonfix.ldf part i get the following error
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Documents and Settings\Administrator>cd\
C:\>cd iop
C:\Iop>ldifde -i -f inetorgpersonfix.ldf -v -c DC=X "DC=domain,DC=com"
Connecting to "servername.domain.com"
Logging in as current user using SSPI
Importing directory from file "inetorgpersonfix.ldf"
Loading entries
1: CN=secretary,CN=Schema,CN= Configurat ion,DC=sev illewatch, DC=com
Add error on line 3: No Such Object
The server side error is "Directory object not found."
0 entries modified successfully.
An error has occurred in the program
WHAT AM I DOING WRONG I ENTER THE COMMAND EXACTLY AS YOU WROTE IT.
Jezzz i'm going to go crazy here
I did not follow your second post to have the DC's point to each other since i'm stuck here.
What should i do next ?
I ran the 8 steps no errors whatsoever
but when get to that inetorgpersonfix.ldf part i get the following error
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Documents and Settings\Administrator>cd\
C:\>cd iop
C:\Iop>ldifde -i -f inetorgpersonfix.ldf -v -c DC=X "DC=domain,DC=com"
Connecting to "servername.domain.com"
Logging in as current user using SSPI
Importing directory from file "inetorgpersonfix.ldf"
Loading entries
1: CN=secretary,CN=Schema,CN=
Add error on line 3: No Such Object
The server side error is "Directory object not found."
0 entries modified successfully.
An error has occurred in the program
WHAT AM I DOING WRONG I ENTER THE COMMAND EXACTLY AS YOU WROTE IT.
Jezzz i'm going to go crazy here
I did not follow your second post to have the DC's point to each other since i'm stuck here.
What should i do next ?
ASKER
Just a thought,
Nyaema I'm running the adprep /forestprep command on my main controller not the one running exchange?
i believe this is the correct way to do things, that DC has to be prep first right?
How do i know if the replication is working, I don't have any new logs in the event viewer. On the main DC the last thing I have on the FRS is from 12/5/2005 and on the Second DC the Exchange one the last thing i have is from 12/6/2005 I really don't understand I think i should be seeing some new logs after all the changes i made?
Thanks again for your Help.
WilsonJ
Nyaema I'm running the adprep /forestprep command on my main controller not the one running exchange?
i believe this is the correct way to do things, that DC has to be prep first right?
How do i know if the replication is working, I don't have any new logs in the event viewer. On the main DC the last thing I have on the FRS is from 12/5/2005 and on the Second DC the Exchange one the last thing i have is from 12/6/2005 I really don't understand I think i should be seeing some new logs after all the changes i made?
Thanks again for your Help.
WilsonJ
You can ignore the errors If the latest Adprep is running without errors,
you can ignore the ldifde errors
you can ignore the ldifde errors
ASKER
That's the problem when i ran the adprep command i'm still getting the same error i'm waiting for the end of the day to see if i could reboot the server tonight, I am going to try what rajeshgkamath suggested, I feel i hit a dead end here.
I will keep keep you guys posted on any changes.
Thanks
WilsonJ
I will keep keep you guys posted on any changes.
Thanks
WilsonJ
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
NYAEMA
I really don't know how to thank you, forget about being late, it was worth the wait.
I dont know if i'm gonna run into problems later on, but the command adprep /forestprep is running as i'm typing this.
I couldn't wait to say THANK YOU.
WilsonJ
I really don't know how to thank you, forget about being late, it was worth the wait.
I dont know if i'm gonna run into problems later on, but the command adprep /forestprep is running as i'm typing this.
I couldn't wait to say THANK YOU.
WilsonJ
You're welcome WilsonJ =)
I want to thank you too. Today this works for me!
This also worked for me. Thanks a lot
Worked for me, too. I can't believe I missed this one. Thanks!
Worked perfectly... You saved me hours of searching... Thank you!!!
This is exactly what i needed. THANK YOU!!!
one extra thing which may help people,
this worked for me other then the fact that i needed to allow schema updates in registry
without it, it didnt work.
To Enable Schema Updates by Means of the Registry:
It is not recommended to enable schema updates by directly editing the "Schema Update Allowed" registry key. Schema updates should be enabled through the console method, whenever possible. If for some reason the console method cannot be used, the following registry key may be edited directly:
HKEY_LOCAL_MACHINE\SYSTEM\ CurrentCon trolSet\Se rvices\NTD S\Paramete rs
To directly edit this registry key, perform the following steps:
Click Start, click Run, and then in the Open box, type:
regedit
Then press ENTER.
Locate and click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\ CurrentCon trolSet\Se rvices\NTD S\Paramete rs
On the Edit menu, click New, and then click DWORD Value.
Enter the value data when the following registry value is displayed:
Value Name: Schema Update Allowed
Data Type: REG_DWORD
Base: Binary
Value Data: Type 1 to enable this feature, or 0 (zero) to disable it.
Quit Registry Editor.
The schema may now be updated on the domain controller that holds the schema operations
this worked for me other then the fact that i needed to allow schema updates in registry
without it, it didnt work.
To Enable Schema Updates by Means of the Registry:
It is not recommended to enable schema updates by directly editing the "Schema Update Allowed" registry key. Schema updates should be enabled through the console method, whenever possible. If for some reason the console method cannot be used, the following registry key may be edited directly:
HKEY_LOCAL_MACHINE\SYSTEM\
To directly edit this registry key, perform the following steps:
Click Start, click Run, and then in the Open box, type:
regedit
Then press ENTER.
Locate and click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\
On the Edit menu, click New, and then click DWORD Value.
Enter the value data when the following registry value is displayed:
Value Name: Schema Update Allowed
Data Type: REG_DWORD
Base: Binary
Value Data: Type 1 to enable this feature, or 0 (zero) to disable it.
Quit Registry Editor.
The schema may now be updated on the domain controller that holds the schema operations
This solution was spot on! The inetorgpersonprevent.ldf file fixed my issue and I'm happily running adprep /forestprep on this crusty old Windows 2000 network so I can DCPROMO some 2008 DCs! Woooo hooo, I love Experts Exchange!
Thanks to all who contributed to the solution!
Thanks to all who contributed to the solution!
I have tried the suggested methods, except the Inetorgpersonprevent. That is next on my list to do.
My issue is that exchange has been removed from the server completely but still in the AD some where as i still get the error with trying to run adprepd /forestprep telling me that Exchange schema conflict. This is driving me nuts?
My issue is that exchange has been removed from the server completely but still in the AD some where as i still get the error with trying to run adprepd /forestprep telling me that Exchange schema conflict. This is driving me nuts?
This solution has helped me with migratiing from win2K exchange 5.5 to w2k3 exhange 2003. It rocks!
Thank you so much Nyaema! It worked for me!!!
Check your event logs on both DC's for AD replication errors.
Check your Active directory sites and services snap-in for any problems.