Microsoft KB Archive/319944

= XADM: &quot;You Do Not Have Permission to Update the Active Directory Schema&quot; Error Message Occurs When You Run Setup =

Article ID: 319944

Article Last Modified on 2/27/2007

-

APPLIES TO


 * Microsoft Exchange 2000 Server Standard Edition

-



This article was previously published under Q319944



SYMPTOMS
When you try to run any Exchange 2000 Setup process, including (for example, if you run setup.exe or update.exe with the /forestprep switch or the /domainprep switch or if you use the reinstall option or any other option), Setup may not complete successfully and you may receive the following error message:

The component &quot;Microsoft Exchange Forest Preparation&quot; cannot be assigned the action &quot;Upgrade&quot; because:

- Either you do not have permission to update the Active Directory schema or Active Directory service is currently too busy.

Additionally, the following data may be logged in the Exchange Server Setup Progress.log file:

[08:01:10] Entering ScGetSchemaVersion

[08:01:10] About to create the dob for object

/dc=com/dc=domain/cn=Configuration/cn=Schema/cn=ms-Exch-Schema-Version-Pt

[08:01:10] Leaving ScGetSchemaVersion

[08:01:11] ScRunLDIFScript (K:\admin\src\libs\exsetup\exmisc.cxx:1267)

Error code 0XC1037AE6 (31462): Extending the schema in the Active Directory failed. Please consult the following error log: %s\LDIF.ERR.

[08:01:11] ScImportActiveDSSchemaChanges

(K:\admin\src\libs\exsetup\exmisc.cxx:1366)

Error code 0XC1037AE6 (31462): Extending the schema in the Active Directory failed. Please consult the following error log: %s\LDIF.ERR. [08:01:11] ScCanUserUpgradeSchema

(K:\admin\src\libs\exsetup\exmisc.cxx:1593)

Error code 0XC1037AE6 (31462): Extending the schema in the Active Directory failed. Please consult the following error log: %s\LDIF.ERR.

[08:01:11] Entering ScHavePermissionToCreateDSObject

[08:01:11] Leaving ScHavePermissionToCreateDSObject

[08:01:11] Entering ScFindHomeADCForCA

[08:01:11] The version read for this ADC is (16908292)

[08:01:11] Leaving ScFindHomeADCForCA

[08:01:11] Prerequisites for Microsoft Exchange Forest Preparation failed:

The component &quot;Microsoft Exchange Forest Preparation&quot; cannot be assigned the action &quot;Upgrade&quot; because:

- Either you do not have permission to update the Active Directory schema or Active Directory service is currently too busy.

[08:01:11] Entering CCompDomainPrep::ScGetEffectiveMode

[08:01:11] Leaving CCompDomainPrep::ScGetEffectiveMode

[08:01:11] Prerequisites for Microsoft Exchange Domain Preparation failed:

The component &quot;Microsoft Exchange Forest Preparation&quot; cannot be assigned the action &quot;Upgrade&quot; because:

- Either you do not have permission to update the Active Directory schema or Active Directory service is currently too busy.

The Ldif.err file that is mentioned in this log entry may contain the following data:

Entry DN: CN=Mail-Recipient,CN=Schema,CN=Configuration,DC=domain,DC=com change: modify Attribute 0) mayContain:assistant

Add error on line 1: Referral

The server side error is &quot;A referral was returned from the server.&quot;

An error has occurred in the program

NOTE: The output from the log file may vary slightly depending on the action that Setup is running (for example, /forestprep, /domainprep, or other actions).



CAUSE
This issue may occur if Setup cannot contact the Schema Master or the other operations master role holders. To confirm that this is the cause of this issue, verify that the operations master role holders are well known to the domain and that the server that assigned this role exists and is accessible. To do so, use the Dcdiag tool. For example, if you run the dcdiag /test:knowsofroleholders /v command, you receive the following output:

Starting test: KnowsOfRoleHolders

Role Schema Owner = CN=&quot;NTDS Settings

DEL:388498d1-b96f-4df5-a81a-f21749bd168a&quot;,CN=DC1,CN=Servers,CN=Defaul t-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com Warning: CN=&quot;NTDS Settings

DEL:388498d1-b96f-4df5-a81a-f21749bd168a&quot;,CN=DC1,CN=Servers,CN=Defaul t-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com is the Schema Owner, but is deleted.

Role Domain Owner = CN=&quot;NTDS Settings

DEL:388498d1-b96f-4df5-a81a-f21749bd168a&quot;,CN=DC1,CN=Servers,CN=Defaul t-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com

Warning: CN=&quot;NTDS Settings

DEL:388498d1-b96f-4df5-a81a-f21749bd168a&quot;,CN=DC1,CN=Servers,CN=Defaul t-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com is the Domain Owner, but is deleted.

Role PDC Owner = CN=NTDS

Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf iguration,DC=domain,DC=com

Role Rid Owner = CN=NTDS

Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Con figuration,DC=domain,DC=com

Role Infrastructure Update Owner = CN=NTDS

Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Con figuration,DC=domain,DC=com

......................... DC1 failed test KnowsOfRoleHolders

NOTE: This output may vary if a different operations master role is not functioning as expected.



RESOLUTION
To resolve this issue:  Try to transfer the operations master role. For additional information about how to transfer the operations master role, click the article number below to view the article in the Microsoft Knowledge Base:

255690 How to View and Transfer FSMO Roles in the GUI

NOTE: You may have to introduce a new domain controller to perform this step successfully. Proceed to step 2 if you cannot transfer the operations master role. Seize the damaged operations master roles from the broken domain controller, and then transfer it to another domain controller. In this example, the broken roles are Schema Master and Domain Naming Master.For additional information about how to transfer the role to another domain controller, click the article number below to view the article in the Microsoft Knowledge Base:

255504 Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Server

 Run Dcpromo.exe to remove the domain controller responsibilities from the broken domain controller. When you do so, you force this computer account to be reconfigured.

Additional query words: exch2kp2w dc

Keywords: kberrmsg kbprb KB319944

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.