Solved

cannot add 2012 server as domain controller to 2003. schema issues

Posted on 2013-12-03
22
1,696 Views
Last Modified: 2014-01-14
Trying to add windows 2012 server as domain controller to 2003 servers.

Get the error message - A previous schema extension has defined some attribute value differently than the schema extension needed for this version of Windows Server

I have run the 'hotfix' schema extension from microsoft but it did not work.

Server with FSMO roles in windows 2003 standard SP2

Any ideas?
0
Comment
Question by:itsup23
  • 13
  • 8
22 Comments
 
LVL 33

Expert Comment

by:paulmacd
ID: 39693675
Have you done the forest prep/domain prep?
0
 

Author Comment

by:itsup23
ID: 39693728
Yes I get an error message when trying to run forestprep

Adprep will not extend your existing schema
Contact the vendor of the application that extended the schema with OID value
1.3.6.1.1.1.1.0 and resolve this inconsistency

then run adprep again
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39693731
If for some reason the console method cannot be used, the following registry key may be edited directly:

HKLM\system\CurrentControlSet\Services\NTDS\Parameters
Value Name: Schema Update Allowed
Value Type: REG_DWORD
Value Data:1

Run agian ADPREP /FORESTPREP.

If it is working set back "Schema Update Allowed" registry value when finished as orginal.
0
 

Author Comment

by:itsup23
ID: 39693791
Still the same error. I should also add this when running adprep

Active Directory directory service for Windows Server 2003 R2: "Attribute value for objects defined in Windows 2000 schema and extended schema do not match"
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39693806
which is the hot fix you installed  - is it 919938 ?
0
 

Author Comment

by:itsup23
ID: 39693812
yes
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39693837
Have you executed C:\temp\Idmschupg.exe as per KB919938 ?
 Because that hotfix just extract two files and we need to execute it

http://support.microsoft.com/kb/919938
0
 

Author Comment

by:itsup23
ID: 39693861
Yes and I get schema extension failed
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39693899
Can you please paste the complete error you got while running ad-prep - did you had UNIX for Windows installed previously ?
0
 

Author Comment

by:itsup23
ID: 39693941
My other potential issue running adprep is that because i'm running windows 2003 32-bit and 2012 only supports 64-bit, I took the adprep from 2008 server to get adprep32.exe

Here is the error message

C:\Program Files\Support Tools>cd\

C:\>cd adprep

C:\adprep>adprep32 /forestprep

ADPREP WARNING:

Before running adprep, all Windows 2000 Active Directory Domain Controllers in t
he forest should be upgraded to Windows 2000 Service Pack 4 (SP4) or later.

[User Action]
If ALL your existing Windows 2000 Active Directory Domain Controllers meet this
requirement, type C and then press ENTER to continue. Otherwise, type any other
key and press ENTER to quit.


C

==============================================================================
OID "1.3.6.1.1.1.1.0" defined for object CN=MSSFU2x-uidNumber,CN=Schema,CN=Confi
guration,DC=domain,DC=com conflicts with the schema extensions neede
d for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID valu
e "1.3.6.1.1.1.1.0" and resolve this inconsistency.  Then run adprep again.



==============================================================================
OID "1.3.6.1.1.1.1.1" defined for object CN=MSSFU2x-gidNumber,CN=Schema,CN=Confi
guration,DC=domain,DC=com conflicts with the schema extensions neede
d for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID valu
e "1.3.6.1.1.1.1.1" and resolve this inconsistency.  Then run adprep again.



==============================================================================
OID "1.3.6.1.1.1.1.4" defined for object CN=MSSFU2x-loginShell,CN=Schema,CN=Conf
iguration,DC=domain,DC=com conflicts with the schema extensions need
ed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID valu
e "1.3.6.1.1.1.1.4" and resolve this inconsistency.  Then run adprep again.



==============================================================================
OID "1.3.6.1.1.1.1.5" defined for object CN=MSSFU2x-shadowLastChange,CN=Schema,C
N=Configuration,DC=domain,DC=com conflicts with the schema extension
s needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID valu
e "1.3.6.1.1.1.1.5" and resolve this inconsistency.  Then run adprep again.



==============================================================================
OID "1.3.6.1.1.1.1.10" defined for object CN=MSSFU2x-shadowExpire,CN=Schema,CN=C
onfiguration,DC=domain,DC=com conflicts with the schema extensions n
eeded for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID valu
e "1.3.6.1.1.1.1.10" and resolve this inconsistency.  Then run adprep again.



==============================================================================
OID "1.3.6.1.1.1.1.12" defined for object CN=MSSFU2x-memberUid,CN=Schema,CN=Conf
iguration,DC=domain,DC=com conflicts with the schema extensions need
ed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID valu
e "1.3.6.1.1.1.1.12" and resolve this inconsistency.  Then run adprep again.
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39693995
"CN=MSSFU2x-uidNumber" entry is for Unix system, which conflicts with the schema extensions needed for Windows Server 2008. And the "msSFU-30 XXX" entries are for Windows Server system.  

In this case, you might need to rename CN=MSSFU2x-XXXXXX entries using adsiedit very carefully ; after ad backup as per below kb;

http://support.microsoft.com/kb/923787/en-us
 --
As this is the fix from MS for this issue : http://support.microsoft.com/kb/921599/en-us

If not working, you might need to contact MS Support
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:itsup23
ID: 39695402
I renamed all of the CN=MSSFU2x entries and it still fails . Do I need to change the attributeID value associated with the entry

ie. 1.3.6.1.1.1.0?
0
 

Author Comment

by:itsup23
ID: 39698762
I found a copy of windows 2003 R2 and ran adprep and it was successful. However, when trying to upgrade the schema again it fails with the same error.

I have even transferred schema roles and tried on a different server but same error.

I don't see windows services for unix anywhere on any servers

Can I delete the MSSFU2x entries? or how can they be edited to work with 2012

anyone have any ideas?
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39700212
This is very critical and recommend you to reach Microsoft Support.
Ensure you have a backup of AD everyday  while working on schema updates and forest level restore might require in case of a failure.

--

Well, the mentioned OID present in Windows 2003 of your domain [ which is related to UNIX is conflicting with UIDs defined in Windows 2008 schema]
Ref : http://www.netid.washington.edu/documentation/schema/w2k8Schema.aspx

 You will not be able to delete schema in Windows 2003, but you can de-activate it.
meanwhile, i am looking for any other options to fix this
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39700657
Please refer below link that has steps to remove conflict entries
http://support.microsoft.com/kb/887426/en-us
https://discussions.apple.com/message/12719535#12719535
0
 

Author Comment

by:itsup23
ID: 39701211
No entries found when searching for UniqueID conflict entries

also when trying to deactivate these entries, I receive the error 'Schema deletion failed: attribute is used in may-contain
0
 

Author Comment

by:itsup23
ID: 39712084
Update..I upgraded to windows services for unix 3.5 and it made changes to the schema


However when using 2012 promote to domain controller I now get this error

error determining whether target environment requires adprep:

Validation error: Validation error: Unable to make an LDAP connection to server

Exception: A directory service error has occured \n

Detials:Test.VerifyForestUpgradeStatus.AdPrep.Win32Exception -2147467259
0
 

Author Comment

by:itsup23
ID: 39714122
now back to the same error

A previous schema extension has defined some attribute value differently than the schema extension needed for this version of Windows Server
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39714178
can you please confirm if you are running 32 bit adprep.exe
0
 

Author Comment

by:itsup23
ID: 39715297
2003 windows server is 32-bit adprep.  I have tried the 2012 promote to dc (which is 64-bit) and tried 2008 32-bit adprep and it didn't work

same error 'oid "xxxxx" CN=MSSFU2x-xxxx conflicts with schema extension'
0
 

Accepted Solution

by:
itsup23 earned 0 total points
ID: 39768232
I finally resolved this issue. It seems if you had any os9 macs on your network it can cause this issue.


You cannot delete attributes once they are in the Schema, only mark them as defunct.

You cannot defunct the attributes if they are listed as a 'maycontain' in other objects.

To defunct them:

Load up Active Directory Schema

Look under 'Classes' for 'apple-preset-user' and 'apple-preset-group' - Right click->Properties

Look under 'Attributes' and remove anything starting with MSSFU2x

Click OK when done.

Now look under the 'Attributes' container of the Schema editor (it's under 'Classes')

Look for the MSSFU2x- atributes - double click them to get their properties, untick 'Attribute is Active' then click OK - it should mark it as defunct.
0
 

Author Closing Comment

by:itsup23
ID: 39778759
This was the fix
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now