XADM: "You Do Not Have Permission to Update the Active Directory Schema" Error Message Occurs When You Run Setup (319944)



The information in this article applies to:

  • Microsoft Exchange 2000 Server

This article was previously published under Q319944

SYMPTOMS

When you try to run any Exchange 2000 Setup process, including (for example, if you run setup.exe or update.exe with the /forestprep switch or the /domainprep switch or if you use the reinstall option or any other option), Setup may not complete successfully and you may receive the following error message:
The component "Microsoft Exchange Forest Preparation" cannot be assigned the action "Upgrade" because:

- Either you do not have permission to update the Active Directory schema or Active Directory service is currently too busy.
Additionally, the following data may be logged in the Exchange Server Setup Progress.log file:

[08:01:10] Entering ScGetSchemaVersion
[08:01:10] About to create the dob for object
/dc=com/dc=domain/cn=Configuration/cn=Schema/cn=ms-Exch-Schema-Version-Pt
[08:01:10] Leaving ScGetSchemaVersion
[08:01:11] ScRunLDIFScript (K:\admin\src\libs\exsetup\exmisc.cxx:1267)
Error code 0XC1037AE6 (31462): Extending the schema in the Active Directory failed. Please consult the following error log: %s\LDIF.ERR.
[08:01:11] ScImportActiveDSSchemaChanges
(K:\admin\src\libs\exsetup\exmisc.cxx:1366)
Error code 0XC1037AE6 (31462): Extending the schema in the Active Directory failed. Please consult the following error log: %s\LDIF.ERR. [08:01:11] ScCanUserUpgradeSchema
(K:\admin\src\libs\exsetup\exmisc.cxx:1593)
Error code 0XC1037AE6 (31462): Extending the schema in the Active Directory failed. Please consult the following error log: %s\LDIF.ERR.
[08:01:11] Entering ScHavePermissionToCreateDSObject
[08:01:11] Leaving ScHavePermissionToCreateDSObject
[08:01:11] Entering ScFindHomeADCForCA
[08:01:11] The version read for this ADC is (16908292)
[08:01:11] Leaving ScFindHomeADCForCA
[08:01:11] Prerequisites for Microsoft Exchange Forest Preparation failed:
The component "Microsoft Exchange Forest Preparation" cannot be assigned the action "Upgrade" because:

- Either you do not have permission to update the Active Directory schema or Active Directory service is currently too busy.
[08:01:11] Entering CCompDomainPrep::ScGetEffectiveMode
[08:01:11] Leaving CCompDomainPrep::ScGetEffectiveMode
[08:01:11] Prerequisites for Microsoft Exchange Domain Preparation failed:
The component "Microsoft Exchange Forest Preparation" cannot be assigned the action "Upgrade" because:
- Either you do not have permission to update the Active Directory schema or Active Directory service is currently too busy.

The Ldif.err file that is mentioned in this log entry may contain the following data:

Entry DN: CN=Mail-Recipient,CN=Schema,CN=Configuration,DC=domain,DC=com change: modify Attribute 0) mayContain:assistant

Add error on line 1: Referral
The server side error is "A referral was returned from the server."
An error has occurred in the program

NOTE: The output from the log file may vary slightly depending on the action that Setup is running (for example, /forestprep, /domainprep, or other actions).

CAUSE

This issue may occur if Setup cannot contact the Schema Master or the other operations master role holders. To confirm that this is the cause of this issue, verify that the operations master role holders are well known to the domain and that the server that assigned this role exists and is accessible. To do so, use the Dcdiag tool. For example, if you run the dcdiag /test:knowsofroleholders /v command, you receive the following output:

Starting test: KnowsOfRoleHolders
Role Schema Owner = CN="NTDS Settings
DEL:388498d1-b96f-4df5-a81a-f21749bd168a",CN=DC1,CN=Servers,CN=Defaul t-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com Warning: CN="NTDS Settings
DEL:388498d1-b96f-4df5-a81a-f21749bd168a",CN=DC1,CN=Servers,CN=Defaul t-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com is the Schema Owner, but is deleted.
Role Domain Owner = CN="NTDS Settings
DEL:388498d1-b96f-4df5-a81a-f21749bd168a",CN=DC1,CN=Servers,CN=Defaul t-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
Warning: CN="NTDS Settings
DEL:388498d1-b96f-4df5-a81a-f21749bd168a",CN=DC1,CN=Servers,CN=Defaul t-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com is the Domain Owner, but is deleted.
Role PDC Owner = CN=NTDS
Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf iguration,DC=domain,DC=com
Role Rid Owner = CN=NTDS
Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Con figuration,DC=domain,DC=com
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Con figuration,DC=domain,DC=com
......................... DC1 failed test KnowsOfRoleHolders

NOTE: This output may vary if a different operations master role is not functioning as expected.

RESOLUTION

To resolve this issue:
  1. Try to transfer the operations master role. For additional information about how to transfer the operations master role, click the article number below to view the article in the Microsoft Knowledge Base:

    255690 How to View and Transfer FSMO Roles in the GUI

    NOTE: You may have to introduce a new domain controller to perform this step successfully. Proceed to step 2 if you cannot transfer the operations master role.
  2. Seize the damaged operations master roles from the broken domain controller, and then transfer it to another domain controller. In this example, the broken roles are Schema Master and Domain Naming Master.For additional information about how to transfer the role to another domain controller, click the article number below to view the article in the Microsoft Knowledge Base:

    255504 Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Server

  3. Run Dcpromo.exe to remove the domain controller responsibilities from the broken domain controller. When you do so, you force this computer account to be reconfigured.

Modification Type:MinorLast Reviewed:4/25/2005
Keywords:kberrmsg kbprb KB319944