Windows 2003: Cannot upgrade to R2. ADPrep fails.
Recently I attempted to upgrade a domain from Windows 2003 Server Standard SP1 to Windows 2003 Server R2. Before running the update, Schema changes are required for Active Directory make it "R2-ready". Attempting to run adprep /forestPrep from CD2 of the R2 release, I was greeted with a significant number of errors:
=============================================================================
"attributeId" attribute value for objects defined in Windows 2000 schema and ext
ended schema do not match.
A previous schema extension has defined the attribute value as "1.2.840.113556.1
.4.7000.187.70" for object "CN=uidNumber,CN=Schema,CN=Configuration,DC=domain
DC=tld" differently than the schema extension needed for Windows 2003 se
rver .
[Status/Consequence]
Adprep cannot extend your existing schema
[User Action]
Contact the vendor of the application that previously extended the schema to res
olve the inconsistency. Then run adprep again.
=============================================================================
"attributeId" attribute value for objects defined in Windows 2000 schema and ext
ended schema do not match.
A previous schema extension has defined the attribute value as "1.2.840.113556.1
.4.7000.187.71" for object "CN=gidNumber,CN=Schema,CN=Configuration,DC=domain
DC=tld" differently than the schema extension needed for Windows 2003 se
rver .
[Status/Consequence]
Adprep cannot extend your existing schema
[User Action]
Contact the vendor of the application that previously extended the schema to res
olve the inconsistency. Then run adprep again.
(there were a lot more errors, but I've left them out because it looked ugly) ;)
Apparently there is an issue with the schema changes in Service For Unix (SFU) and Windows 2003 Server. There is a discussion regarding this at http://www.mail-archive.com/activedir@mail.activedir.org/msg41354.html. I was able to correct the issue and had to contact Microsoft Support. With their help, we came up with a solution in which we renamed each Schema entry created by SFU through ADSIedit.msc.
In ADSIedit.msc, Expand Schema, CN=Schema,CN=Configuration,DC=domain,DC=tld. In this list, search for the following entries and change their "adminDisplayName" and "lDAPDisplayName":
GidNumber
UidNumber
gecos
loginShell
shadowLastChange
shadowMin
shadowMin
shadowMax
shadowWarning
shadowWarning
shadowInactive
shadowExpire
shadowFlag
memberUid
memberNisNetgroup
memberNisNetgroup
ipServicePort
ipServiceProtocol
ipProtocolNumber
oncRpcNumber
ipHostNumber
ipNetworkNumber
ipNetmaskNumber
macAddress
bootParameter
bootFile
nisMapName
nisMapName
nisMapEntry
nisMapEntry
nisMap
For example, with CN=nisMap, right-click, select Properties, find "adminDisplayName" and click Edit. Change the value from "nisMap" to "nisMap-old". Apply the changes. Look for "lDAPDisplayName", change the value from "nisMap" to "nisMap-old", press Ok. Apply the changes and press Ok to exit the properties screen. Right-click "CN=nisMap" once more and select Rename. Rename it to "CN=nisMap-old". Repeat this for all entries that are conflicting with R2.
Once changed, re-run the adprep /forestPrep and the schema changes should work properly.
