Microsoft KB Archive/314649

= Windows Server 2003 adprep /forestprep command causes mangled attributes in Windows 2000 forests that contain Exchange 2000 servers =

Article ID: 314649

Article Last Modified on 3/2/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Exchange 2000 Server Standard Edition

-



This article was previously published under Q314649





SUMMARY
The Microsoft Exchange 2000 schema defines three non-Request for Comments (RFC)-compliant attributes: houseIdentifier, Secretary, and labeledURI. The Microsoft Windows 2000 InetOrgPerson Kit redefines the Secretary attribute and the labeledURI attribute. The adprep /forestprep command in Microsoft Windows Server 2003 has redefined all three attributes as described in Request for Comments (RFC) 2798.

If Exchange 2000 created these three attributes before you ran the Windows 2000 InetOrgPerson Kit, the LdapDisplayName attribute for the houseIdentifier attribute becomes conflicted or &quot;mangled&quot; after the new RFC-compliant definitions are added by Windows Server 2003 adprep /forestprep replication. If Exchange 2000 created these three attributes before you ran the Windows Server 2003 adprep /forestprep command, all three attributes become mangled. These conflicts do not occur if the Windows Server 2003 adprep /forestprep command creates these attributes before you install Exchange 2000.



MORE INFORMATION
When the Windows Server 2003 adprep /forestprep command adds its InetOrgPerson attributes in a Windows 2000 forest that contains the Exchange 2000 schema, its definitions of the Secretary, the houseIdentifier, and the labeledURI attributes conflict with the Exchange 2000 definitions of these attributes. On the domain controller that receives the Windows Server 2003 schema updates, the LdapDisplayName attributes for the Exchange 2000 definitions of these attributes are modified to prevent a conflict. When the Microsoft Active Directory directory service detects a duplicate name, it modifies the name of one of the objects by adding &quot;Dup&quot; and some unique characters to the beginning of the name. This behavior is known as &quot;object mangling.&quot;

The Exchange Server 2003 setup /forestprep command also adds its InetOrgPerson attributes, and may cause object mangling.

Active Directory forests are not vulnerable to this mangled display name problem if you use the Windows Server 2003 adprep /forestprep command to create the initial definition of the Secretary, the labeledURI, and the houseIdentifier attributes. Specifically, mangled LdapDisplayName attributes do not occur in the following scenarios:
 * You run the Windows Server 2003 adprep /forestprep command in a Windows 2000 forest before you install Exchange 2000.
 * You add Exchange 2000 to an existing Windows 2000 forest. You run the Inetorgpersonfix.ldf file before you run the Windows Server 2003 adprep /forestprep command.
 * You add Exchange 2000 to an existing Windows 2000 forest. You then run the Exchange Server 2003 setup /forestprep command before you run the Windows Server 2003 adprep /forestprep command.

Mangled attributes may occur in Windows 2000 and Windows Server 2003 forests if Exchange 2000 creates the initial definition of the Secretary, the houseIdentifier, and the labeledURI attributes in a Windows 2000 domain. This behavior may occur in the following scenarios:
 * You add the Exchange 2000 version of the InetOrgPerson class to a Windows 2000 forest before you add the InetOrgPerson class from the InetOrgPerson Kit.
 * You add the Exchange 2000 version of the InetOrgPerson class to a Windows 2000 forest before you run the Windows Server 2003 adprep /forestprep command.
 * You add the Windows 2000 InetOrgPerson Kit and then install the Exchange 2000 schema changes before you run the Windows Server 2003 adprep /forestprep command.
 * A Windows 2000 domain controller that contains the Exchange 2000 definition of InetOrgPerson does not receive updates to Active Directory after you run the Inetorgpersonfix.ldf file from the Windows Server 2003 installation media.

Scenario 1: Exchange 2000 schema changes are added after you run the adprep /forestprep command
If Exchange 2000 schema changes are introduced to your Windows 2000 forest after you run the adprep /forestprep command from Windows Server 2003, view the &quot;Overview: Upgrading Windows 2000 Domain Controllers to Windows Server2003&quot; section of the following Microsoft Knowledge Base article:

325379 How to upgrade Windows 2000 domain controllers to Windows Server 2003

Scenario 2: Exchange 2000 schema changes are installed before you run the Windows Server 2003 adprep /forestprep command
If Exchange 2000 schema changes have already been installed, but you have not run the adprep /forestprep command in Windows Server 2003, consider the following action plan:  Log on to the console of the schema operations master by using an account that is a member of the Schema Administrators group and of the Enterprise Administrators group. Enable Schema Updates on the schema master. For more information about how to permit updates to the Active Directory schema, click the following article number to view the article in the Microsoft Knowledge Base:

285172 Schema updates require write access to schema in Active Directory

 Mangled HouseIdentifier, Secretary, and LabeledURI attributes have LDAPDisplayName attributes that are similar to the following format:

lDAPDisplayName: DUP-labeledURI-9591bbd3-d2a6-4669-afda-48af7c35507d;

lDAPDisplayName: DUP-secretary-c5a1240d-70c0-455c-9906-a4070602f85f

lDAPDisplayName: DUP-houseIdentifier-354b0ca8-9b6c-4722-aae7-e66906cc9eef

If the LDAPDisplayName attributes for LabeledURI, Secretary and HouseIdentifier were mangled, run the Windows Server 2003 Inetorgpersonfix.ldf script to recover:  Create a folder named \iop. At a command prompt, type cd \iop, and then press ENTER. Extract the Inetorgpersonfix.ldf file from the Support.cab file that is located in the Support\Tools folder of the Windows Server 2003 installation media.</li> From the console of the schema operations master, load the Inetorgpersonfix.ldf file by using Ldifde.exe to correct the LdapDisplayName attribute of the houseIdentifier, the Secretary, and the labeledURI attributes. To do this, type the following command, where  is the domain name path for the root domain of the forest wrapped in quotation marks:

ldifde -i -f inetorgpersonfix.ldf -v -c DC=X &quot; &quot;

Note In this command, X is a case-sensitive constant. Enter it exactly as it appears here.</li></ol> </li> Verify that the LDAPDisplayName values for the CN=ms-Exch-Assistant-Name, the CN=ms-Exch-LabeledURI, and the CN=ms-Exch-House-Identifier attributes in the schema naming context now appear as msExchAssistantName, msExchLabeledURI, and msExchHouseIdentifier before you run the Windows Server 2003 adprep /forestprep command.

To verify that the LDAPDisplayName values are correct, you can use ADSI Edit. To do this, follow these steps.

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk. <ol style="list-style-type: lower-alpha;"> Click Start, point to Programs, point to Windows 2000/2003 Support Tools, and then click ADSI Edit.</li> Expand Schema [ ].</li> Expand Cn=Schema, CN=Configuration, CN= .</li> In the right pane, locate an attribute to verify.</li> Right-click the attribute, and then click Properties.</li> In the Select which properties to view list, click Both.</li> In the Select a property to view list, click LDAPDisplayName.</li> Verify that the LDAPDisplayName value is correct.</li> Repeat steps e through h for each attribute you want to verify.</li></ol> </li> Run the adprep /forestprep command and the /domainprep command.</li></ol>

For more information, view the &quot;Overview: Upgrading Windows 2000 Domain Controllers to Windows Server 2003&quot; section of the following Microsoft Knowledge Base article:

325379 How to upgrade Windows 2000 domain controllers to Windows Server 2003

Scenario 3: you did not run InetOrgPersonfix before you ran the Windows Server 2003 adprep /forestprep command
If you run the Windows Server 2003 adprep /forestprep command in a Windows 2000 forest that contains the Exchange 2000 schema changes, the LdapDisplayname attributes for houseIdentier, Secretary, and labeledURI become mangled. To identify mangled names, use Ldp.exe to locate the affected attributes: <ol> Install Ldp.exe from the Support\Tools folder of the Windows 2000 or the Windows Server 2003 media.</li> Start Ldp.exe from a domain controller or a member computer in the forest. <ol style="list-style-type: lower-alpha;"> On the Connection menu, click Connect, leave the Server box empty, type 389 in the Port box, and then click OK.</li> On the Connection menu, click Bind, leave all the boxes empty, and then click OK.</li></ol> </li> <li>Record the distinguished name path for the SchemaNamingContext attribute.

For example, for a domain controller in the CORP.ADATUM.COM forest, the distinguished name path would be CN=Schema,CN=Configuration,DC=corp,DC=adatum,DC=com.</li> <li>On the Browse menu, click Search.</li> <li>Configure the following settings: <ul> <li>Base DN: Type the distinguished name path for the schema naming context that is identified in step 3.</li> <li>Filter: Type (ldapdisplayname=dup*) .</li> <li>Scope: Click Subtree.</li></ul> </li> <li>Mangled HouseIdentifier, Secretary, and LabeledURI attributes have LDAPDisplayName attributes that are similar to the following format:

lDAPDisplayName: DUP-labeledURI-9591bbd3-d2a6-4669-afda-48af7c35507d;

lDAPDisplayName: DUP-secretary-c5a1240d-70c0-455c-9906-a4070602f85f

lDAPDisplayName: DUP-houseIdentifier-354b0ca8-9b6c-4722-aae7-e66906cc9eef

If the LDAP Display names for LabeledURI, Secretary and HouseIdentifier were mangled, run the Windows Server 2003 Inetorgpersonfix.ldf script to recover: <ol style="list-style-type: lower-alpha;"> <li>Create a folder named \iop.</li> <li>At a command prompt, type cd \iop, and then press ENTER.</li> <li>Extract the Inetorgpersonfix.ldf file from the Support.cab file that is located in the Support\Tools folder of the Windows Server 2003 installation media.</li> <li>From the console of the schema operations master, load the Inetorgpersonfix.ldf file by using Ldifde.exe to correct the LdapDisplayName attribute of the houseIdentifier, the Secretary, and the labeledURI attributes. To do this, type the following command, where  is the domain name path for the root domain of the forest wrapped in quotation marks:

ldifde -i -f inetorgpersonfix.ldf -v -c DC=X &quot; &quot;

Note In this command, X is a case-sensitive constant. Enter it exactly as it appears here.</li></ol> </li> <li>Verify that the houseIdentifier, the Secretary, and the labeledURI attributes in the schema naming context are not mangled.</li> <li>Use Winnt32.exe to upgrade the Windows 2000 domain controllers.

For more information about how to upgrade a Windows 2000 domain controller by using Winnt32.exe, click the following article number to view the article in the Microsoft Knowledge Base:

325379 How to upgrade Windows 2000 domain controllers to Windows Server 2003

</li></ol>

Errors encountered by Exchange 2000 Server when InetOrgPerson attributes are mangled
When you install or upgrade an Exchange 2000 Server computer in a domain that contains multiple domain controllers, you may receive the following error message during the setup /forestprep process:

Setup failed while installing subcomponent Microsoft Windows Active Directory schema update with error code 0xC1037AE6 (please consult the installation logs for a detailed description). You may cancel the installation or try the failed step again

The Setup log may contain the following error message:

[14:07:16] ScRunLDIFScript (k:\admin\src\libs\exsetup\exmisc.cxx:1333) Error code 0XC1037AE6 (31462): Extending the schema in the Active Directory failed. Please consult the error log LDIF.ERR in your TEMP directory.

This issue occurs because an InetOrgPerson collision occurred. Run the Inetorgpersonfix.ldf file as described in Scenario 3 of this article.

Enhancements to Adprep.exe in Windows Server 2003 Service Pack 1
The Adprep.exe command has been enhanced in Windows Server 2003 Service Pack 1. The command now detects the Exchange 2000 InetOrgPerson schema extensions and then stops. When the InetOrgPerson extension has been detected, you receive the following message:

Adprep was unable to extend the schema.

[Status/Consequence]

The schema master did not complete a replication cycle after the last reboot. The schema master must complete at least one replication cycle before the schema can be extended.

[User Action]

Verify that the schema master is connected to the network and can communicate with other domain controllers. Use the Sites and Services snap-in to replicate between the schema operations master and at least one replication partner. After replication has succeeded, run adprep again.

For more information about how to resolve this conflict, click the following article number to view the article in the Microsoft Knowledge Base:

325379 How to upgrade Windows 2000 domain controllers to Windows Server 2003

We recommend that you always use the latest version of Adprep.exe to extend the schema. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

324392 Enhancements to Adprep.exe in Windows Server 2003 Service Pack 1 and in hotfix 324392

Keywords: kbenv kbinfo KB314649

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.