Incorrect Schema extension for OS X prevents ForestPrep from completing in Windows 2000 (887426)


The information in this article applies to:

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server

SUMMARY

Some administrators who implemented Active Directory Schema extensions for Mac OSX may have unintentionally used a registered object identifier. This can cause ForestPrep to fail if you try to upgrade to Windows Server 2003. This article describes the steps that you must follow to resolve this issue.

SYMPTOMS

If you run the Adprep /Forestprep command on your Microsoft Windows 2000-based domain controller to prepare for an upgrade to Microsoft Windows Server 2003, the operation is not completed successfully. Additionally, the following information may be logged in the Schupgr.log and Ldif.log files:
  • Schupgr.log:
    MBI-03 -c DC=X DC=mbi,DC=ufl,DC=edu
    ERROR: Import from file C:\WINNT\system32\sch18.ldf failed. Error file is saved in
    ldif.err.18.
  • Ldif.log:
    20: CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=mbi,DC=ufl,DC=edu
    Entry DN: CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=mbi,DC=ufl,DC=edu
    Add error on line 275: Unwilling To Perform

CAUSE

This issue occurs because a registered object identifier (OID) was used when an Active Directory Schema extension attribute was created. This may have occurred in the past, and symptoms may not occur until the upgrade is performed.

This issue has been reported with the implementation of Active Directory schema extensions for Mac OSX. Users have copied a reserved object identifier attribute value from a picture in technical documentation that was obtained from Apple Inc. The users who did not note the text under the graphic that instructed the user to use a unique value for this object identifier experience the issue that is described in this article.

RESOLUTION

To resolve this issue, use the procedures that are described in this section. The procedure includes removing references to the UniqueID schema attribute, upgrading domain controllers to Windows Server 2003, and defuncting the conflicting schema attribute.

Part 1: Preparation

The Apple instructions direct the reader to add UniqueID to the OrganizationalPerson class as an optional attribute. If UniqueId is subsequently removed from the OrganizationalPerson class, you have to add it again so that the attribute can be removed from all user objects. If you omit these steps, you may receive the following error message when you open Active Directory tools such as the Active Directory Users and Computers snap-in, or the Active Directory Service Interfaces (ADSI) Edit utility:
Naming information could not be located. Unspecified error
  1. Add the UniqueID attribute back into OrganizationalPerson class as an optional attribute. This lets you see the populated attribute on the user object where this attribute had been added.
    1. Click Start, click Run, type mmc, and then click OK.
    2. On the Console menu, click Add/Remove Snap-in, click Add, and then click Active Directory Schema.

      Note If the Active Directory Schema snap-in does not appear in the list, you must first register the Schmmgmt.dll file. To do this, click Start, click Run, type regsvr32 schmmgmt.dll, and then click OK.
    3. Click Add, click Close, and then click OK.
    4. Expand Active Directory Schema, expand Classes, right-click OrganizationalPerson, and then click Properties.
    5. On the Attributes tab, click Add next to Optional.
    6. In the Select a schema object box, click UniqueID, and then click OK.
  2. Use Adsiedit to clear the UniqueID attribute for all users who have the UniqueID attribute.

    Note To find users who have the UniqueID attribute, run the following command to run an Ldifde search in each domain in the forest:

    ldifde -f DomainXUIDusers.txt -d DC=name of your domain,dc=com -r "(uniqueID=*)" -p subtree -l distinguishedName,uniqueID

    The Domainxuidusers.txt file that is produced contains the distinguished name for each user who has the UniqueID attribute.

    After you know which users have the UniqueID attribute, follow these steps to remove the attribute:
    1. Start the ADSI Edit snap-in. To do this, click Start, click Run, type adsiedit.msc, and then click OK.

      NoteThe ADSI Edit snap-in is included in the Windows 2000 Support Tools. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

      301423 How to install the Windows 2000 Support Tools to a Windows 2000 Server-based computer

    2. Expand Domain NC [Domain_Name], and then expand DC=Domain, DC=Name
    3. Locate the first user who you indentified by using the LDIFDE search.
    4. Right-click the user who you want to clear the UniqueID attribute on, and then click Properties.
    5. In the Select which properties to view box, click Optional.
    6. In the Select a property to view box, click UniqueID. The users UniqueID appears in the Value(s) dialog box.
    7. Click Clear, and then click OK.
    Repeat steps a - g for each user who you indentified by using the LDIFDE search. If there are lots of users, consider scripting the removal by using the ldifde output from the LDIFDE search. To use the output from the ldifde search, modify the DomainXUIDusers.txt file as follows:
    1. Change the "changetype" attribute from "add" to "modify".
    2. Replace the "UniqueID" line with "delete: uniqueID".
    3. Repeat steps a and b for each user who you indentified by using the LDIFDE search.
    4. Run the ldifde -i -f DomainXUIDusers.txt command.
    5. Repeat this process for each domain.
  3. Remove the UniqueID attribute from the OrganizationalPerson class optional attributes. To do this, follow these steps:
    1. Click Start, click Run, type mmc, and then click OK.
    2. On the Console menu, click Add/Remove Snap-in, click Add, and then click Active Directory Schema.

      Note If the Active Directory Schema snap-in does not appear in the list, you must first register the Schmmgmt.dll file. To do this, click Start, click Run, type regsvr32 schmmgmt.dll, and then click OK.
    3. Click Add, click Close, and then click OK.
    4. ExpandActive Directory Schema, expandClasses, right-click OrganizationalPerson, and then click Properties.
    5. In the Optional box, click UniqueID, and then click Remove.
    6. Click OK.

Part 2: Locate and remove all references to UniqueID

The instructions in the Apple document that may have lead to this issue, direct the reader to add UniqueID only to the OrganizationalPerson class. If you know that the attribute was not added to any other classes, you can skip this part and continue to Part 3. Perform this procedure if you do not know which classes have UniqueID object added as an optional attribute.

Note If the UniqueID object is referenced by another object, you may receive the following error message when you try to make the UniqueID object defunct:
Cannot make this schema object defunct. The schema object may be in use as the definition of another schema object.
  1. Determine which ObjectClasses contain the UniqueID attribute. The Out.txt file lists the distinguishedName of the classes that use UniqueID after you follow these steps:
    1. Click Start, click Run, type cmd, and then click OK.
    2. At the command prompt, type ldifde -f out.txt -d CN=Schema,CN=configuration,DC=forestroot,DC=com -r "(|(mayContain=UniqueID)(systemMayContain=UniqueID))" -p subtree -l distinguishedName, and then press ENTER.

      Note "Or" is symbolized by the pipe character "|".
    3. View the Out.txt file to see which classes contain the UniqueID attribute.
  2. Remove the UniqueID attribute from the ObjectClasses that are listed in the Out.txt file. To do this:
    1. Click Start, click Run, type mmc, and then click OK.
    2. On the Console menu, click Add/Remove Snap-in, click Add, and then click Active Directory Schema.

      Note If the Active Directory Schema snap-in does not appear in the list, you must first register the Schmmgmt.dll file. To do this, click Start, click Run, type regsvr32 schmmgmt.dll, and then click OK.
    3. Click Add, click Close, and then click OK.
    4. ExpandActive Directory Schema, expandClasses, right-click the ObjectClass that you noted in step 1, and then click Properties.
    5. In the Optional box, click UniqueID, and then click Remove.
    6. Repeat steps b and c for each ObjectClass that you noted in step 1.

Part 3: Rename the apple attribute

Rename ldapdisplayname and distinguishedName on the UniqueID to match the names in the Windows Server 2003 schema. To do this, follow these steps:
  1. Modify the ldapdisplayname and distinguishedName of the previous attribute so that they match the x500uniqueidentifier. To do this, follow these steps:
    1. Click Start, click Run, type cmd, and then click OK.
    2. At the command prompt, type ldifde -i -f rename.txt -v -c DC=X dc=forest,dc=root , and then press ENTER.

      Note If you experience difficulty after you run this command, you can run the ldifde -I -f rename_undo.txt -v undo command.
  2. Make sure that the schema has replicated to another domain controller.

Part 4: Rename the x500uniqueIdentifier attribute

Use the following script to rename the x500uniqueIdentifier attribute:
 # Script to recover from Apple's use of W2K3 object identifier 2.5.4.45 
#
# Run this script on the Windows 2000 Schema FSMO
# SYNTAX C:> ldifde -i -f rename.txt -v -c DC=X dc=forest,dc=root 
# Note: replace dc=forest,dc=root  with the forest root for your enterprise

dn: CN=unixID,CN=Schema,CN=Configuration,DC=X
changetype: Modify
replace: lDAPDisplayName
lDAPDisplayName: x500uniqueIdentifier
-

dn: CN=unixID,CN=Schema,CN=Configuration,DC=X
changetype: modrdn
newrdn: cn=x500uniqueIdentifier
deleteoldrdn: 1

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
Note If you experience issues after you run this script, you can undo the effects of the script by running the following undo script:
.
# SYNTAX C:> ldifde -i -f rename_undo.txt -v -c DC=X dc=forest,dc=root 
# Note: replace dc=forest,dc=root  with the forest root for your enterprise


dn: cn=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=X
changetype: Modify
replace: lDAPDisplayName
lDAPDisplayName: UniqueID
-

dn: cn=x500uniqueIdentifier,cn=Schema,CN=Configuration,DC=X
changetype: modrdn
newrdn: cn=unixID
deleteoldrdn: 1
-

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1

Part 5: Run Forest Prep and upgrade the domain controllers.

  • Run Adprep /forestprep and Domainprep.
  • Upgrade all Windows 2000 Domain Controllers in the forest to Windows Server 2003. For detailed instructions, see the References section.
  • Raise the behavior version to Windows Server 2003:
    1. In Active Directory Users and Computers, right-click your domain name, click Raise Domain Functional Level, and then click Windows Server 2003
    2. In Active Directory Domains and Trusts, right-click the Active Directory Domains and Trusts top-level node, click Raise Forest Functionality, and then click Windows Server 2003.

Part 6: Defunct the Apple attribute and replace it with the Windows Server 2003 x500uniuqeidentifier.

To defunct the Apple attribute:
  1. Click Start, click Run, type cmd, and then click OK.
  2. At the command prompt, type the following command, and then press ENTER: Ldifde -I -f x500uniqueID.txt -v
Use the following script to replace the Apple attribute that uses object identifier 2.5.4.45 with the Windows Server 2003 x500uniqueIdentifier attribute:
# Script to Replace the Apple attribute using object identifier 2.5.4.45 with
# the Windows Server 2003 x500uniqueIdentifier attribute
#
# SYNTAX C:> ldifde -i -f x500uniqueID.txt -v -c DC= X dc=forest,dc=root 
# Note: replace dc=forest,dc=root  with the forest root for your enterprise



#Remove maycontain for object identifier 2.5.4.45

dn: CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=X
changetype: modify
delete: maycontain
MayContain: 2.5.4.45
-

dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: Modify
delete: MayContain
MayContain: 2.5.4.45
-

#defunct Existing Apple Schema object

dn: CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: isDefunct
isDefunct: TRUE
-

#Now Rename the Defunct Object

dn: CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=X
changetype: Modify
replace: lDAPDisplayName
lDAPDisplayName: OldunixIDWithDupOID
-

dn: CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=X
changetype: modrdn
newrdn: cn=OldunixIDWithDupOID
deleteoldrdn: 1
-
#Import Correct x500uniqueIdentifier from sch18.ldf

dn: CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: x500uniqueIdentifier
adminDisplayName: x500uniqueIdentifier
adminDescription: Used to distinguish between objects when a distinguished name has 
been reused.  This is a different attribute type from both the "uid" and 
"uniqueIdentifier" types.
attributeId: 2.5.4.45
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: H6F90D2KtkKwqnbJYr5xmg==
showInAdvancedViewOnly: FALSE
systemFlags: 0
-

#Add maycontain back in for 2.5.4.45

dn: CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: maycontain
MayContain: 2.5.4.45
-

dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: Modify
add: MayContain
MayContain: 2.5.4.45
-


dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

Part 7: Re-introducing the Apple schema modification

After you have resolved this issue and completed the upgrade, you can perform the MAC OS X schema modification again. Follow the instructions that are provided by Apple Inc. However, instead of using the object identifier that was displayed in the original document graphic , use a non-registered object identifier. To obtain the document that describes how to perform this modification, visit the following Apple Web site:

http://www.apple.com/itpro/articles/adintegration/

To obtain a list of registered object identifiers, visit the following Web site:

http://www.alvestrand.no/objectid/index.html

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Note that using any registered object identifier could create the same problem that is described in this article.

MORE INFORMATION

Installing the Windows 2000 Administrative Tools

To install the complete set of Windows 2000 Administrative Tools, follow these steps:
  1. In Control Panel, double-click Add/Remove Programs.
  2. Click Windows 2000 Administrative Tools, and then click Change.
  3. Click Next, click Install All Administrative Tools, and then click Next.
  4. After the installation is completed, click Finish, and then click Close.

Starting the Active Directory Schema snap-in

The Active Directory Schema snap-in is a Microsoft Management Console (MMC) tool. Because schema management is rarely performed, there is no saved Schema console or Administrative Tool on the Administrative Tools menu. To manually load the Schema Manager into the MMC, perform the following procedure on the domain controller that contains the schema:
  1. Click Start, click Run, type mmc, and then click OK.
  2. On the Console menu, click Add/Remove Snap-in, click Add, and then click Active Directory Schema.
  3. Click Add, click Close, and then click OK.
  4. On the Console menu, click Save As, and then type a name for the saved console. For example, type Schema.msc.
  5. Click Save.

REFERENCES

For additional information about LDIFDE, click the following article number to view the article in the Microsoft Knowledge Base:

237677 Using LDIFDE to import and export directory objects to Active Directory

For additional information about how to upgrade to Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

325379 How to upgrade Windows 2000 domain controllers to Windows Server 2003

Modification Type:MajorLast Reviewed:2/28/2006
Keywords:kbtshoot kbprb KB887426 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.