cannot add 2012 server as domain controller to 2003. schema issues

Trying to add windows 2012 server as domain controller to 2003 servers.

Get the error message - A previous schema extension has defined some attribute value differently than the schema extension needed for this version of Windows Server

I have run the 'hotfix' schema extension from microsoft but it did not work.

Server with FSMO roles in windows 2003 standard SP2

Any ideas?
itsup23Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
itsup23Connect With a Mentor Author Commented:
I finally resolved this issue. It seems if you had any os9 macs on your network it can cause this issue.


You cannot delete attributes once they are in the Schema, only mark them as defunct.

You cannot defunct the attributes if they are listed as a 'maycontain' in other objects.

To defunct them:

Load up Active Directory Schema

Look under 'Classes' for 'apple-preset-user' and 'apple-preset-group' - Right click->Properties

Look under 'Attributes' and remove anything starting with MSSFU2x

Click OK when done.

Now look under the 'Attributes' container of the Schema editor (it's under 'Classes')

Look for the MSSFU2x- atributes - double click them to get their properties, untick 'Attribute is Active' then click OK - it should mark it as defunct.
0
 
Paul MacDonaldDirector, Information SystemsCommented:
Have you done the forest prep/domain prep?
0
 
itsup23Author Commented:
Yes I get an error message when trying to run forestprep

Adprep will not extend your existing schema
Contact the vendor of the application that extended the schema with OID value
1.3.6.1.1.1.1.0 and resolve this inconsistency

then run adprep again
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Ram BalachandranCommented:
If for some reason the console method cannot be used, the following registry key may be edited directly:

HKLM\system\CurrentControlSet\Services\NTDS\Parameters
Value Name: Schema Update Allowed
Value Type: REG_DWORD
Value Data:1

Run agian ADPREP /FORESTPREP.

If it is working set back "Schema Update Allowed" registry value when finished as orginal.
0
 
itsup23Author Commented:
Still the same error. I should also add this when running adprep

Active Directory directory service for Windows Server 2003 R2: "Attribute value for objects defined in Windows 2000 schema and extended schema do not match"
0
 
Ram BalachandranCommented:
which is the hot fix you installed  - is it 919938 ?
0
 
itsup23Author Commented:
yes
0
 
Ram BalachandranCommented:
Have you executed C:\temp\Idmschupg.exe as per KB919938 ?
 Because that hotfix just extract two files and we need to execute it

http://support.microsoft.com/kb/919938
0
 
itsup23Author Commented:
Yes and I get schema extension failed
0
 
Ram BalachandranCommented:
Can you please paste the complete error you got while running ad-prep - did you had UNIX for Windows installed previously ?
0
 
itsup23Author Commented:
My other potential issue running adprep is that because i'm running windows 2003 32-bit and 2012 only supports 64-bit, I took the adprep from 2008 server to get adprep32.exe

Here is the error message

C:\Program Files\Support Tools>cd\

C:\>cd adprep

C:\adprep>adprep32 /forestprep

ADPREP WARNING:

Before running adprep, all Windows 2000 Active Directory Domain Controllers in t
he forest should be upgraded to Windows 2000 Service Pack 4 (SP4) or later.

[User Action]
If ALL your existing Windows 2000 Active Directory Domain Controllers meet this
requirement, type C and then press ENTER to continue. Otherwise, type any other
key and press ENTER to quit.


C

==============================================================================
OID "1.3.6.1.1.1.1.0" defined for object CN=MSSFU2x-uidNumber,CN=Schema,CN=Confi
guration,DC=domain,DC=com conflicts with the schema extensions neede
d for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID valu
e "1.3.6.1.1.1.1.0" and resolve this inconsistency.  Then run adprep again.



==============================================================================
OID "1.3.6.1.1.1.1.1" defined for object CN=MSSFU2x-gidNumber,CN=Schema,CN=Confi
guration,DC=domain,DC=com conflicts with the schema extensions neede
d for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID valu
e "1.3.6.1.1.1.1.1" and resolve this inconsistency.  Then run adprep again.



==============================================================================
OID "1.3.6.1.1.1.1.4" defined for object CN=MSSFU2x-loginShell,CN=Schema,CN=Conf
iguration,DC=domain,DC=com conflicts with the schema extensions need
ed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID valu
e "1.3.6.1.1.1.1.4" and resolve this inconsistency.  Then run adprep again.



==============================================================================
OID "1.3.6.1.1.1.1.5" defined for object CN=MSSFU2x-shadowLastChange,CN=Schema,C
N=Configuration,DC=domain,DC=com conflicts with the schema extension
s needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID valu
e "1.3.6.1.1.1.1.5" and resolve this inconsistency.  Then run adprep again.



==============================================================================
OID "1.3.6.1.1.1.1.10" defined for object CN=MSSFU2x-shadowExpire,CN=Schema,CN=C
onfiguration,DC=domain,DC=com conflicts with the schema extensions n
eeded for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID valu
e "1.3.6.1.1.1.1.10" and resolve this inconsistency.  Then run adprep again.



==============================================================================
OID "1.3.6.1.1.1.1.12" defined for object CN=MSSFU2x-memberUid,CN=Schema,CN=Conf
iguration,DC=domain,DC=com conflicts with the schema extensions need
ed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID valu
e "1.3.6.1.1.1.1.12" and resolve this inconsistency.  Then run adprep again.
0
 
Ram BalachandranCommented:
"CN=MSSFU2x-uidNumber" entry is for Unix system, which conflicts with the schema extensions needed for Windows Server 2008. And the "msSFU-30 XXX" entries are for Windows Server system.  

In this case, you might need to rename CN=MSSFU2x-XXXXXX entries using adsiedit very carefully ; after ad backup as per below kb;

http://support.microsoft.com/kb/923787/en-us
 --
As this is the fix from MS for this issue : http://support.microsoft.com/kb/921599/en-us

If not working, you might need to contact MS Support
0
 
itsup23Author Commented:
I renamed all of the CN=MSSFU2x entries and it still fails . Do I need to change the attributeID value associated with the entry

ie. 1.3.6.1.1.1.0?
0
 
itsup23Author Commented:
I found a copy of windows 2003 R2 and ran adprep and it was successful. However, when trying to upgrade the schema again it fails with the same error.

I have even transferred schema roles and tried on a different server but same error.

I don't see windows services for unix anywhere on any servers

Can I delete the MSSFU2x entries? or how can they be edited to work with 2012

anyone have any ideas?
0
 
Ram BalachandranCommented:
This is very critical and recommend you to reach Microsoft Support.
Ensure you have a backup of AD everyday  while working on schema updates and forest level restore might require in case of a failure.

--

Well, the mentioned OID present in Windows 2003 of your domain [ which is related to UNIX is conflicting with UIDs defined in Windows 2008 schema]
Ref : http://www.netid.washington.edu/documentation/schema/w2k8Schema.aspx

 You will not be able to delete schema in Windows 2003, but you can de-activate it.
meanwhile, i am looking for any other options to fix this
0
 
Ram BalachandranCommented:
Please refer below link that has steps to remove conflict entries
http://support.microsoft.com/kb/887426/en-us
https://discussions.apple.com/message/12719535#12719535
0
 
itsup23Author Commented:
No entries found when searching for UniqueID conflict entries

also when trying to deactivate these entries, I receive the error 'Schema deletion failed: attribute is used in may-contain
0
 
itsup23Author Commented:
Update..I upgraded to windows services for unix 3.5 and it made changes to the schema


However when using 2012 promote to domain controller I now get this error

error determining whether target environment requires adprep:

Validation error: Validation error: Unable to make an LDAP connection to server

Exception: A directory service error has occured \n

Detials:Test.VerifyForestUpgradeStatus.AdPrep.Win32Exception -2147467259
0
 
itsup23Author Commented:
now back to the same error

A previous schema extension has defined some attribute value differently than the schema extension needed for this version of Windows Server
0
 
Ram BalachandranCommented:
can you please confirm if you are running 32 bit adprep.exe
0
 
itsup23Author Commented:
2003 windows server is 32-bit adprep.  I have tried the 2012 promote to dc (which is 64-bit) and tried 2008 32-bit adprep and it didn't work

same error 'oid "xxxxx" CN=MSSFU2x-xxxx conflicts with schema extension'
0
 
itsup23Author Commented:
This was the fix
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.