"You do not have the rights required to upgrade the Active Directory Schema" error message when you install the Active Directory Connector on a Windows 2000-based computer (887407)



The information in this article applies to:

  • Microsoft Exchange 2000 Server
  • Microsoft Exchange 2000 Enterprise Server
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server

SUMMARY

You may receive the error message "You do not have the rights required to upgrade the Active Directory Schema" from the Active Directory Connector (ADC) Setup program. This article describes several conditions that could cause this error message to occur. Additionally, this article describes how to resolve each condition.

SYMPTOMS

When you try to install the Active Directory Connector (ADC), you may receive the following error message:
You do not have the rights required to upgrade the Active Directory Schema.
ID no: c1037aea
Microsoft Active Directory Connector Setup
Note You receive this message even though the user account that you are using is a member of the following groups:
  • Enterprise Administrator
  • Domain Administrator
  • Schema Administrator
Additionally, the Active Directory Connector Setup.log file may include the following entries:[Time] ScRunLDIFScript
(K:\admin\src\libs\exsetup\exmisc.cxx:1267)
Error code 0XC007200E (8206): The directory service is busy.
[Time] ScImportActiveDSSchemaChanges
(K:\admin\src\libs\exsetup\exmisc.cxx:1366)
Error code 0XC007200E (8206): The directory service is busy.
[Time] DSCallHelper::FRetry (K:\admin\src\libs\base\ds_call.cxx:51)
Error code 0XC007200E (8206): The directory service is busy.
[Time] ScCanUserUpgradeSchema (K:\admin\src\libs\exsetup\exmisc.cxx:1593)
Error code 0XC1034A2A (18986): Failed to contact Windows Domain Controller.
[Time] CEdsContext::ScInit
(K:\admin\src\edss\edssetup\edssetup.cxx:572)
Error code 0XC1037AEA (31466): You do not have the rights required to upgrade the Active Directory Schema.

CAUSE

This problem may occur if one of the following conditions is true.

Condition 1

The user account that you are using does not have sufficient permissions to the Temp folder, or the system variable for the Temp folder is not configured correctly.

Condition 2

The Schema may be modified on this Domain Controller check box is not selected on the domain controller where you are trying to update the schema.

Condition 3

A domain controller was not correctly removed from the Active Directory directory service forest.

Condition 4

The following conditions are true:
  • The following update is installed on the Microsoft Windows 2000 Server-based computer where you are trying to run the ADC Setup program:

    311401 Windows 2000 Security Rollup Package 1, January 2002

  • You are trying to install the ADC from a domain that has only one domain controller, and the domain previously had two or more domain controllers.

    Note After Windows 2000 Security Rollup Package 1 is installed, the schema master must synchronize with another domain controller in the local domain. This must occur before the schema master role can become active.

RESOLUTION

Resolution for condition 1

To resolve this issue, verify the permissions and the path for the Temp directory. To do this, follow these steps:
  1. Click Start, point to Settings, and then click Control Panel.
  2. Double-click System, click the Advanced tab, and then click Environment Variables.
  3. In the Environment Variables dialog box, locate the TEMP variable in the System variables list.

    The Value column for the TEMP variable contains a path that is similar to C:\WINNT\Temp.

    Important The folder path must not be similar to %USERPROFILE%\Local Settings\Temp. If your folder path is similar to %USERPROFILE%\Local Settings\Temp, follow these steps:
    1. Verify that you are looking at the System variables list and not the User variables for account name list.

      In this step, account name is the name of the user account that you are using.
    2. If the TEMP variable in the System variables list is set incorrectly, click TEMP, click Edit, type drive:\system root\temp, and then click OK.

      In this step, drive is the hard disk drive, and system root is the folder where Windows 2000 is installed.
  4. Click Start, click Run, type explorer, and then click OK.
  5. Right-click the Temp folder, click Properties, and then click the Security tab.
  6. Click Administrators, and then verify that all the check boxes are selected in the Allow column.

    If one or more check boxes are not selected in the Allow column, click to select the Full Control check box, and then click OK three times.
  7. Run the ADC Setup program.

Resolution for condition 2

To resolve this issue, click to select the Schema may be modified on this Domain Controller check box on the domain controller where you are trying to update the schema. To do this, follow these steps:
  1. Click Start, click Run, type regsvr32 schmmgmt.dll, and then click OK.
  2. Click OK when you receive the following message:DllRegisterServer in schmmgmt.dll succeeded
  3. Click Start, click Run, type mmc, and then click OK.
  4. On the Console menu, click Add/Remove Snap-in, and then click Add.
  5. Click Active Directory Schema, click Add, and then click Close.
  6. Click OK to add the snap-in.
  7. Right-click the Active Directory Schema node, and then click Operations Master.
  8. In the Change Schema Master dialog box, click to select the Schema may be modified on this Domain Controller check box.
  9. Click OK, and then exit the Active Directory Schema snap-in.
  10. Run the ADC Setup program.

Resolution for condition 3

To resolve this issue, use the Ntdsutil.exe tool to clean up the metadata on the domain controller that you recently demoted. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

216498 How to remove data in Active Directory after an unsuccessful domain controller demotion

After you clean up the metadata, run the ADC Setup program.

Resolution for condition 4

To resolve this issue, use one of the following methods.

Method 1: Add an additional domain controller to your domain for the schema master to synchronize with

To do this, follow these steps:
  1. Install another domain controller in the domain.

    For more information about how to install a domain controller, see the "Install a domain controller" topic in Windows 2000 Help.
  2. Let Active Directory replication occur.
  3. Run the ADC Setup program.

Method 2: Use the Repadmin.exe tool to remove all the replica links to the domain controllers that were demoted

To do this, follow these steps.
Note Repadmin.exe is included with the Windows 2000 Support Tools. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

301423 How to install the Windows 2000 Support Tools to a Windows 2000 Server-based computer

  1. Click Start, click Run, type cmd, and then click OK.
  2. Obtain the GUID Domain Name System (DNS) name for all the replication partners that were removed from the domain.

    To do this, type the following at the command prompt, and then press ENTER:

    repadmin /showreps /v

    Note The GUID DNS name is similar to the following:

    3ba0ba2e-2411-44ea-a7e4-13f57a290655._msdcs.domain_name.tld

    In this step, domain_name is the name of your domain, and tld is the top-level domain name of your domain.
  3. Type the following, and then press ENTER:

    repadmin /delete cn=schema,cn=configuration,dc=domain_name,dc=tld existing_domain_controller_name GUID_DNS_name.domain_name.tld /localonly

    In this line, existing_domain_controller_name is the current name of your domain controller, and GUID_DNS_name is the GUID DNS name of the replication partners that were displayed in step 2.

    You receive a confirmation message that is similar to the following: Replication link from source: 3ba0ba2e-2411-44ea-a7e4-13f57a290655._msdcs.domain_name.tld to dest:server_name deleted.
  4. Run the ADC Setup program.
For additional information about the Repadmin.exe tool, click the following article number to view the article in the Microsoft Knowledge Base:

229896 Using Repadmin.exe to troubleshoot Active Directory replication

MORE INFORMATION

If none of the methods that are described in the "Resolution" section resolve this issue, you can try one of the following methods.

Important Before you follow any one of these procedures, we recommend that you back up your Active Directory database.
  • Transfer the schema master role to another domain controller. Then, run the ADC Setup program.
  • Transfer the schema master role to another domain controller. Next, transfer the schema master role back to the original domain controller. Then, run the ADC Setup program.
  • Run the ADC Setup program on a different domain controller that does not have the schema master role.
For additional information about how to view and how to transfer the schema master role, click the following article number to view the article in the Microsoft Knowledge Base:

255690 How to view and transfer FSMO roles in the graphical user interface


Modification Type:MajorLast Reviewed:12/2/2004
Keywords:kbtshoot kbprb KB887407