Error -2147023541 in BindToSchemaNC when extending AD schema.

  • 7940298
  • 19-Aug-2009
  • 26-Apr-2012


SecureLogin SSO
MS AD, LDAP, NT4, Citrix, Terminal Services


User installed SecureLogin in an Active Directory environment. They installed the client and the administration tools. When they attempted to run adsschema.exe on the local workstation to extend the Directory schema, the following error appears;

Error -2147023541 in BindToSchemaNC when extending AD schema


Install SecureLogin and extend the directory schema on a DC. Once complete, remove SecureLogin from the DC. It is only required on the DC if you want SSO to be available for users who log on or you want to administer SecureLogin from the DC. Most administrators use Active Directory Users and Computers on their own PC to centrally managed SecureLogin.

Additional Information

Root Cause

The user was attempting to extend the AD schema from a workstation, but it can only be extended on a Domain Controller.

Furthermore, the workstation had no connectivity with the file server so this particular error appeared.

Only one domain controller at a time is permitted to write to the schema. This role is known as Schema Flexible Single Master Operations (FSMO).

SecureLogin automatically sets the FSMO when adsschema.exe runs so the schema can be extended.

The FSMO can only be set, and the schema can only be extended, on a Domain Controller.