Error -2147019886 adding attributes to Schema when running ADSSchema.exe

  • 7940230
  • 19-Aug-2009
  • 16-Jan-2014

Environment

SecureLogin
SecureLogin SSO
All Versions
MS Active Directory


Situation

Issue

Customer is installing SecureLogin in an Active Directory environment. They installed the client and the administration tools. When they attempted to run adsschema.exe on the local workstation to extend the Directory schema, the following error appears;

An error occurred while trying to update the registry to allow Active Directory schema updates. Do you want to attempt to extend the schema anyway?

If the customer clicked Yes, the following error is displayed.

Error -2147019886 adding attributes to Schema

Resolution

Cause

The customer was attempting to extend the AD schema from a workstation, but it can only be extended on a Domain Controller.

In addition, only one domain controller at a time is permitted to write to the schema. This role is known as Schema Flexible Single Master Operations (FSMO).

SecureLogin automatically sets the FSMO when adsschema.exe runs so the schema can be extended.

The FSMO can only be set, and the schema can only be extended, on a Domain Controller.

Solution

The customer installed SecureLogin and extended the directory schema on a DC. Once complete, the customer removed SecureLogin from the DC. It is only required on the DC if you want SSO to be available for users who log on or you want to administer SecureLogin from the DC. Most administrators use Active Directory Users and Computers on their own PC to centrally managed SecureLogin.