Error -2147016651 extending AD schema using adsschema.exe

  • Document ID:7940275
  • Creation Date:19-Aug-2009
  • Modified Date:17-Jan-2014
    • Micro Focus Products:
      SecureLogin

Environment

SecureLogin
SecureLogin SSO
All Versions

Situation

Issue

The customer is installing SecureLogin in a Microsoft ADS environment. When they attempt to extend the Directory schema (using adsschema.exe) the following error is displayed and the schema is not extended.

  • Error -2147016651 adding entries attribute to Schema
  • Error -2147016651 adding authdata attribute to Schema
  • Error -2147016651 adding Security Prefs attribute to Schema
  • Error -2147016651 adding Entries Checksum attribute to Schema
  • Error -2147016651 adding Security Prefs Checksum attribute to Schema
  • Error -2147016651 adding Protocom SecureLogin Profile attribute to Schema
  • Error -2147016651 setting new user class attribute
  • Error -2147016651 setting new container class attribute
  • Error -2147016651 setting new OU class attribute

Resolution

Cause

Even though the Active Directory is based on a multi-master administrative model, some operations allow only a single master. Schema management is one of these operations.

By default, domain controllers permit only read access to the schema. If you attempt to add attributes to the schema before you make the registry change described, the schema will not be extended.

Only one domain controller at a time is permitted to write to the schema. This role is known as Schema Flexible Single Master Operations (FSMO).

To extend the schema successfully, you must ensure that the Active Directory Schema Manager snap-in is pointed at the schema FSMO. If you have only a single domain controller in your network, it is always the schema FSMO.

Solution

The customer set the FSMO to the server they were running adsschema.exe on by performing the tasks below. Write access to the schema was then ""enabled"" on the domain controller and the schema was successfully extended.

  • Install the Active Directory Schema management snap-in (for MMC). You can acquire this snap-in through a full installation of the Windows 2000 Administration Tools or by registering Schmmgmt.dll in the system root on a Windows 2000 server.

Once the snap-in has been installed, activate the Schema MMC snap-in by following these steps:

  • Click Start, click Run, type mmc, and then click OK.
  • On the MMC Console menu, click Add/Remove Snap-in....
  • Click Add, and then click Active Directory Schema.
  • Click Add, click Close, and then click OK.

To set the FSMO and permit schema write operations:

In the Active Directory Schema snap-in…

  • Highlight Active Directory Schema
  • Choose Action | Operations Master....
  • Select the box titled

    ""The Schema may be modified on this Domain Controller"".

  • Click OK
  • Run adsschema.exe