Avatar of itsup23
itsup23 asked on

cannot add 2012 server as domain controller to 2003. schema issues

Trying to add windows 2012 server as domain controller to 2003 servers.

Get the error message - A previous schema extension has defined some attribute value differently than the schema extension needed for this version of Windows Server

I have run the 'hotfix' schema extension from microsoft but it did not work.

Server with FSMO roles in windows 2003 standard SP2

Any ideas?
Windows Server 2012Windows Server 2003Windows OS

Avatar of undefined
Last Comment
itsup23

8/22/2022 - Mon
Paul MacDonald

Have you done the forest prep/domain prep?
ASKER
itsup23

Yes I get an error message when trying to run forestprep

Adprep will not extend your existing schema
Contact the vendor of the application that extended the schema with OID value
1.3.6.1.1.1.1.0 and resolve this inconsistency

then run adprep again
Ram Balachandran

If for some reason the console method cannot be used, the following registry key may be edited directly:

HKLM\system\CurrentControlSet\Services\NTDS\Parameters
Value Name: Schema Update Allowed
Value Type: REG_DWORD
Value Data:1

Run agian ADPREP /FORESTPREP.

If it is working set back "Schema Update Allowed" registry value when finished as orginal.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER
itsup23

Still the same error. I should also add this when running adprep

Active Directory directory service for Windows Server 2003 R2: "Attribute value for objects defined in Windows 2000 schema and extended schema do not match"
Ram Balachandran

which is the hot fix you installed  - is it 919938 ?
ASKER
itsup23

yes
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Ram Balachandran

Have you executed C:\temp\Idmschupg.exe as per KB919938 ?
 Because that hotfix just extract two files and we need to execute it

http://support.microsoft.com/kb/919938
ASKER
itsup23

Yes and I get schema extension failed
Ram Balachandran

Can you please paste the complete error you got while running ad-prep - did you had UNIX for Windows installed previously ?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER
itsup23

My other potential issue running adprep is that because i'm running windows 2003 32-bit and 2012 only supports 64-bit, I took the adprep from 2008 server to get adprep32.exe

Here is the error message

C:\Program Files\Support Tools>cd\

C:\>cd adprep

C:\adprep>adprep32 /forestprep

ADPREP WARNING:

Before running adprep, all Windows 2000 Active Directory Domain Controllers in t
he forest should be upgraded to Windows 2000 Service Pack 4 (SP4) or later.

[User Action]
If ALL your existing Windows 2000 Active Directory Domain Controllers meet this
requirement, type C and then press ENTER to continue. Otherwise, type any other
key and press ENTER to quit.


C

==============================================================================
OID "1.3.6.1.1.1.1.0" defined for object CN=MSSFU2x-uidNumber,CN=Schema,CN=Confi
guration,DC=domain,DC=com conflicts with the schema extensions neede
d for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID valu
e "1.3.6.1.1.1.1.0" and resolve this inconsistency.  Then run adprep again.



==============================================================================
OID "1.3.6.1.1.1.1.1" defined for object CN=MSSFU2x-gidNumber,CN=Schema,CN=Confi
guration,DC=domain,DC=com conflicts with the schema extensions neede
d for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID valu
e "1.3.6.1.1.1.1.1" and resolve this inconsistency.  Then run adprep again.



==============================================================================
OID "1.3.6.1.1.1.1.4" defined for object CN=MSSFU2x-loginShell,CN=Schema,CN=Conf
iguration,DC=domain,DC=com conflicts with the schema extensions need
ed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID valu
e "1.3.6.1.1.1.1.4" and resolve this inconsistency.  Then run adprep again.



==============================================================================
OID "1.3.6.1.1.1.1.5" defined for object CN=MSSFU2x-shadowLastChange,CN=Schema,C
N=Configuration,DC=domain,DC=com conflicts with the schema extension
s needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID valu
e "1.3.6.1.1.1.1.5" and resolve this inconsistency.  Then run adprep again.



==============================================================================
OID "1.3.6.1.1.1.1.10" defined for object CN=MSSFU2x-shadowExpire,CN=Schema,CN=C
onfiguration,DC=domain,DC=com conflicts with the schema extensions n
eeded for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID valu
e "1.3.6.1.1.1.1.10" and resolve this inconsistency.  Then run adprep again.



==============================================================================
OID "1.3.6.1.1.1.1.12" defined for object CN=MSSFU2x-memberUid,CN=Schema,CN=Conf
iguration,DC=domain,DC=com conflicts with the schema extensions need
ed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID valu
e "1.3.6.1.1.1.1.12" and resolve this inconsistency.  Then run adprep again.
Ram Balachandran

"CN=MSSFU2x-uidNumber" entry is for Unix system, which conflicts with the schema extensions needed for Windows Server 2008. And the "msSFU-30 XXX" entries are for Windows Server system.  

In this case, you might need to rename CN=MSSFU2x-XXXXXX entries using adsiedit very carefully ; after ad backup as per below kb;

http://support.microsoft.com/kb/923787/en-us
 --
As this is the fix from MS for this issue : http://support.microsoft.com/kb/921599/en-us

If not working, you might need to contact MS Support
ASKER
itsup23

I renamed all of the CN=MSSFU2x entries and it still fails . Do I need to change the attributeID value associated with the entry

ie. 1.3.6.1.1.1.0?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
itsup23

I found a copy of windows 2003 R2 and ran adprep and it was successful. However, when trying to upgrade the schema again it fails with the same error.

I have even transferred schema roles and tried on a different server but same error.

I don't see windows services for unix anywhere on any servers

Can I delete the MSSFU2x entries? or how can they be edited to work with 2012

anyone have any ideas?
Ram Balachandran

This is very critical and recommend you to reach Microsoft Support.
Ensure you have a backup of AD everyday  while working on schema updates and forest level restore might require in case of a failure.

--

Well, the mentioned OID present in Windows 2003 of your domain [ which is related to UNIX is conflicting with UIDs defined in Windows 2008 schema]
Ref : http://www.netid.washington.edu/documentation/schema/w2k8Schema.aspx

 You will not be able to delete schema in Windows 2003, but you can de-activate it.
meanwhile, i am looking for any other options to fix this
Ram Balachandran

Please refer below link that has steps to remove conflict entries
http://support.microsoft.com/kb/887426/en-us
https://discussions.apple.com/message/12719535#12719535
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER
itsup23

No entries found when searching for UniqueID conflict entries

also when trying to deactivate these entries, I receive the error 'Schema deletion failed: attribute is used in may-contain
ASKER
itsup23

Update..I upgraded to windows services for unix 3.5 and it made changes to the schema


However when using 2012 promote to domain controller I now get this error

error determining whether target environment requires adprep:

Validation error: Validation error: Unable to make an LDAP connection to server

Exception: A directory service error has occured \n

Detials:Test.VerifyForestUpgradeStatus.AdPrep.Win32Exception -2147467259
ASKER
itsup23

now back to the same error

A previous schema extension has defined some attribute value differently than the schema extension needed for this version of Windows Server
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Ram Balachandran

can you please confirm if you are running 32 bit adprep.exe
ASKER
itsup23

2003 windows server is 32-bit adprep.  I have tried the 2012 promote to dc (which is 64-bit) and tried 2008 32-bit adprep and it didn't work

same error 'oid "xxxxx" CN=MSSFU2x-xxxx conflicts with schema extension'
ASKER CERTIFIED SOLUTION
itsup23

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
itsup23

This was the fix
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy