windowswideopen.com

Unable to modify the Schema

What to check for:

Events of the following type can be ignored:

Event Type : Error
Event Source : NTDS General
Event Category: Internal Processing
Event ID : 1153
Date: MM/DD/YYYY
Time: HH:MM:SS AM|PM
User : Everyone Computer : <some DC>
Description: Class identifier 655562 (class name msWMI-MergeablePolicyTemplate) has an invalid superclass 655560. Inheritance ignored.

· This behavior occurs because the schema is imported in an order other than superclass inheritance. When a class is imported, superclass attributes point to other classes. Because these may not have been imported yet, you see these errors in the application event log.

• Is the user account being used to run Adprep a member of the necessary groups?

· Permissions required:

For a forest upgrade, the user must be a member of all 3: Enterprise Admins, Schema Admins, and Domain Admins (for the current domain).

For a domain upgrade, the user must be a member of at least Domain Admins for the targeted domain.

· Error Messages:

Error if the user is only a member of schema admins:

Adprep was unable to check the current user’s group membership.

[Status/Consequence]

Adprep has stopped without making changes.

[User Action]

Verify the current logged on user is a member of Domain Admins group, Enterprise Admins group and Schema Admins group if /forestprep is specified, or is a member of Domain Admins group if /domainprep is specified.

Adprep encountered a Win32 error.

Error code: 0×5 Error message: Access is denied..

Error if the user is only a member of Domain Admins:

Adprep detected that the logon user is not a member of the following groups: Enterprise Admins Group and Schema Admins Group.

[Status/Consequence]

Adprep has stopped without making changes.

[User Action]

Verify the current logged on user is a member of Enterprise Admins group, Schema Admins group and toll.com\Domain Admins group.

Error if the user is only a member of Enterprise Admin:

Adprep detected that the logon user is not a member of the following groups: Schema Admins Group and toll.com\Domain Admins Group.

[Status/Consequence]

Adprep has stopped without making changes.

[User Action]

Verify the current logged on user is a member of Enterprise Admins group, Schema Admins group and toll.com\Domain Admins group.

· How to quickly confirm whether the user is a member of the required groups:

1. Enter the following command at a command prompt to display specific attributes for the user account being used to run Adprep.

Net User <username> /domain

NOTE: the word “domain” needs to be specified. Don’t replace this parameter with the actual domain name.

2. Locate the “Global Group memberships” information and confirm Schema Admins, Enterprise Admins and Domain Admins are listed. Below is an example of the expected output:

C:\>net user administrator /domain

User name Administrator

Full Name

Comment Built-in account for administering the computer/domain

User’s comment

Country code 000 (System Default)

Account active Yes

Account expires Never

Password last set 11/26/2003 1:22 PM

Password expires Never

Password changeable 11/26/2003 1:22 PM

Password required Yes

User may change password Yes

Workstations allowed All

Logon script

User profile

Home directory

Last logon 4/20/2004 1:15 PM

Logon hours allowed All

Local Group Memberships *Administrators

Global Group memberships *Schema Admins *Enterprise Admins

*Group Policy Creator *Domain Users

*Domain Admins

The command completed successfully.

· Related KBs:

293783 Cannot Upgrade Windows 2000 Server to Windows Server 2003 with Windows

http://support.microsoft.com/?id=293783

314649 Windows Server 2003 adprep /forestprep Command Causes Mangled Attributes

http://support.microsoft.com/?id=314649

Active Directory Active Directory Schema modify schemaActive Directory Active Directory Schema modify schema

No Comments »
Filed under: Active Directory