Error: You do not have permission to update the AD schema

Discussion:

(too old to reply)

Blaine B

2004-04-14 20:38:04 UTC

Hello,
I am installing a new Exchange 2003 server into my current 5.5 setup. After running all the proper diagnostics with no errors I attempted to run Setup /Forestprep (this is on a member server) and after a few moments I received this error:

Prerequisites for Microsoft Exchange Domain Preparation failed:
The component "Microsoft Exchange Forest Preparation" cannot be assigned the action "Install" because:
- Either you do not have permission to update the Active Directory schema or Active Directory service is currently too busy.

I looked this up and found http://support.microsoft.com/default.aspx?scid=kb;en-us;274196&Product=exch2003
I checked the remote registry service and it was running correctly. I followed up with KB 326262 & 255788 and still got no satisfaction.

For the heck of it I dropped the Exchange cd in my DC and ran /Forestprep and received no error. I stopped setup prior to the actual install. I was logged in to both servers using the same account!

DC=2003
Ex. Member Server=2003

Help!

Terry Liu [MSFT]

2004-04-15 06:25:20 UTC

Permalink

Hi,

I would like to offer you several suggestions to resolve this issue:

" Remove any third-party network adapter management software. Temporarily
remove any teaming software.
" Look into the "Exchange server setup progress.log" file at the root of
the partition. Please check the error code behind "ScCanUserUpgradeSchema".

If the error code following that function is 0XC1034A2A (18986)

- Then troubleshoot connectivity to other DC's. Although the m_strdc
values in the progress log point to reachable domain controllers, the setup
program may be relying on Windows to arbitrarily pick another domain
controller that is currently offline. Run DCDiag /v to determine if there
are other DCs in the root domain that are not reachable. If they are not
reachable, then determine why they are not reachable. If you do not care if
they are reachable, or if you know that those DCs have been
orphaned/removed, then you will need to perform metadata cleanup on Active
Directory using the NTDSUTIL utility.

If the error code following the ScCanUserUpgradeSchema function is
0XC1037AEA (31466)

- Then check to see if you can make a modification to the schema naming
context, either via ADSI Edit or through the schema management snap-in. If
you get a message saying that you only have permission to view, then open
AD Users and computers, go to the properties of the domain, and click the
Group policy tab. Ensure that the Default Domain policy is there, and that
its not been disabled. Repeat w/the default domain controller policy.

In this case, resetting the default domain and default domain controller
policies with the default settings removed the 0XC1037AEA error code from
the latest session in the progress log.

NOTE: The above errors may also be seen when running the ADC setup program.

Have a nice day!

Best regards,

Terry Liu
MCSE 2K MCSA MCDBA CCNA
Microsoft Online Support Engineer

Get Secure! - <www.microsoft.com/security>
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Blaine B

2004-04-15 18:48:45 UTC

Permalink

I checked through the log and here is the error:

Error code 0XC10379BB (31163): Setup has determined that you have
insufficient access privileges to the primary domain. Administrative access
in the primary domain is required in order to install the Active Directory
Connector.

I am logged in the with Enterprise Admin account. I also followed KB 326262
and still no luck.

Hi,
" Remove any third-party network adapter management software. Temporarily
remove any teaming software.
" Look into the "Exchange server setup progress.log" file at the root of
the partition. Please check the error code behind

"ScCanUserUpgradeSchema".

If the error code following that function is 0XC1034A2A (18986)
- Then troubleshoot connectivity to other DC's. Although the m_strdc
values in the progress log point to reachable domain controllers, the setup
program may be relying on Windows to arbitrarily pick another domain
controller that is currently offline. Run DCDiag /v to determine if there
are other DCs in the root domain that are not reachable. If they are not
reachable, then determine why they are not reachable. If you do not care if
they are reachable, or if you know that those DCs have been
orphaned/removed, then you will need to perform metadata cleanup on Active
Directory using the NTDSUTIL utility.
If the error code following the ScCanUserUpgradeSchema function is
0XC1037AEA (31466)
- Then check to see if you can make a modification to the schema naming
context, either via ADSI Edit or through the schema management snap-in. If
you get a message saying that you only have permission to view, then open
AD Users and computers, go to the properties of the domain, and click the
Group policy tab. Ensure that the Default Domain policy is there, and that
its not been disabled. Repeat w/the default domain controller policy.
In this case, resetting the default domain and default domain controller
policies with the default settings removed the 0XC1037AEA error code from
the latest session in the progress log.
NOTE: The above errors may also be seen when running the ADC setup program.
Have a nice day!
Best regards,
Terry Liu
MCSE 2K MCSA MCDBA CCNA
Microsoft Online Support Engineer
Get Secure! - <www.microsoft.com/security>
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Terry Liu [MSFT]

2004-04-16 01:55:40 UTC

Permalink

Hi,

Thank you for taking the time to respond and I would like to offer you
following suggestions:

Suggestion 1: Enable "schema may be modified from this DC"

To Register the Schmmgmt.dll File::
1. Click Start, and then click Run.
2. Type: "regsvr32 schmmgmt.dll" (without the quotation marks), and then
click OK.

NOTE: RegSvr32 has been successfully registered when a "DllRegisterServer
in schmmgmt.dll succeeded" dialog box is displayed.

To Enable Schema Updates By Using the Active Directory Schema MMC::

1. Click Start, click Run, type: "mmc" (without the quotation marks), and
then click OK.
2. On the Console menu, click Add/Remove Snap-in.
3. Click Add.
4. Click Active Directory Schema.
5. Click Add.
6. Click Close to close the Add Standalone Snap-in dialog box.
7. Click OK to add the snap-in to the console.
8. Right-click the Active Directory Schema node, and then click Operations
Master.

NOTE: The schema master is listed in the Current Operations Master section
of the Change Schema Master dialog box.

9. Click to select the "Schema may be modified on this Domain Controller"
check box. Click OK, and then exit the console.

Suggestion 2: Use an account that belong to the Schema Admin of the parent
site

Suggestion 3: Check the permissions for the Temp directory so that the
account you are logged on has 'Full Control' to the folder. Also check
that the Temp directory Environment Variable is appearing as
Drive:\Winnt\Temp rather then %USERPROFILE%\Local Settings\Temp.

In addition, please send me the setup log and application log at
v-***@microsoft.com as an email attachment.

Hope this helps!

Best regards,

Terry Liu
MCSE 2K MCSA MCDBA CCNA
Microsoft Online Support Engineer

Get Secure! - <www.microsoft.com/security>
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Blaine B

2004-04-19 19:42:48 UTC

Permalink

Hi Terry,
I tried Suggestion 1 but I could not find the "Schema may be modified on
this domain controller" option anywhere within the AD Schema node. Please
note that I have already modified the registry of my Operations Master in
accordance with KB326262. Would this do the same thing as your suggestion?

Suggestion 2: I am logging into the Exchange server using an account that
has all the appropriate permissions.

Suggestion 3: I have set the Temp directory environment variable to the
c:\temp directory previous to doing the installation.

I will send the logs shortly.

Post by Terry Liu [MSFT]
Hi,
Thank you for taking the time to respond and I would like to offer you
Suggestion 1: Enable "schema may be modified from this DC"
1. Click Start, and then click Run.
2. Type: "regsvr32 schmmgmt.dll" (without the quotation marks), and then
click OK.
NOTE: RegSvr32 has been successfully registered when a "DllRegisterServer
in schmmgmt.dll succeeded" dialog box is displayed.
1. Click Start, click Run, type: "mmc" (without the quotation marks), and
then click OK.
2. On the Console menu, click Add/Remove Snap-in.
3. Click Add.
4. Click Active Directory Schema.
5. Click Add.
6. Click Close to close the Add Standalone Snap-in dialog box.
7. Click OK to add the snap-in to the console.
8. Right-click the Active Directory Schema node, and then click Operations
Master.
NOTE: The schema master is listed in the Current Operations Master section
of the Change Schema Master dialog box.
9. Click to select the "Schema may be modified on this Domain Controller"
check box. Click OK, and then exit the console.
Suggestion 2: Use an account that belong to the Schema Admin of the parent
site
Suggestion 3: Check the permissions for the Temp directory so that the
account you are logged on has 'Full Control' to the folder. Also check
that the Temp directory Environment Variable is appearing as
Drive:\Winnt\Temp rather then %USERPROFILE%\Local Settings\Temp.
In addition, please send me the setup log and application log at
Hope this helps!
Best regards,
Terry Liu
MCSE 2K MCSA MCDBA CCNA
Microsoft Online Support Engineer
Get Secure! - <www.microsoft.com/security>
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Terry Liu [MSFT]

2004-04-20 08:43:53 UTC

Permalink

Hi,

Thank you for bringing this log files to my attention!

However, could you resend Exchange Server Setup log and send the
application.log to me? After examing the errorlog.txt and eventlog.txt,
there is no valueable clues added. So, I am unable to provide you with more
suggestion. I appreciate your patience and understanding.

Hope to hear from you soon!

Best regards,

Terry Liu
MCSE 2K MCSA MCDBA CCNA
Microsoft Online Support Engineer

Get Secure! - <www.microsoft.com/security>
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Terry Liu [MSFT]

2004-04-21 09:39:29 UTC

Permalink

Hi,

I have checked the log and found 0X80004002 from the setup log. After
performing research on this error code, I suggest you remove the org, and
then re-run setup by using /forestprep switch.

For your reference:

295623 Exchange Setup Fails with Error 0x80070422 --
http://support.microsoft.com/?id=295623
320096 XADM: Exchange Services Not Present After Installation --
http://support.microsoft.com/?id=320096
823142 "You Do Not Have Sufficient Permissions in the Domain" Error Message
-- http://support.microsoft.com/?id=823142

Hope this information addresses your concern!

Best regards,

Terry Liu
MCSE 2K MCSA MCDBA CCNA
Microsoft Online Support Engineer

Get Secure! - <www.microsoft.com/security>
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Blaine B

2004-04-27 16:11:32 UTC

Permalink

Hello Terry,
Thanks for your help but I'm not sure if you are following the whole thread
that we have been talking about. The exchange server is not installed yet.
It would a little difficult to remove the Org and then re-run setup by using
/forestprep, especially since the whole point of this thread is that I can't
seem to get /forestprep to run correctly in the first place! Please do us
both a favor and read the entire thread again so we can back on track.

Thank you

Post by Terry Liu [MSFT]
Hi,
I have checked the log and found 0X80004002 from the setup log. After
performing research on this error code, I suggest you remove the org, and
then re-run setup by using /forestprep switch.
295623 Exchange Setup Fails with Error 0x80070422 --
http://support.microsoft.com/?id=295623
320096 XADM: Exchange Services Not Present After Installation --
http://support.microsoft.com/?id=320096
823142 "You Do Not Have Sufficient Permissions in the Domain" Error Message
-- http://support.microsoft.com/?id=823142
Hope this information addresses your concern!
Best regards,
Terry Liu
MCSE 2K MCSA MCDBA CCNA
Microsoft Online Support Engineer
Get Secure! - <www.microsoft.com/security>
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Terry Liu [MSFT]

2004-05-03 12:53:18 UTC

Permalink

Hi,

Thank you for your reply and I am sorry for the delay of my response.

I suggest you refer to this Knowledge Base article to remove org:

830185 The REMOVEORG option in Exchange Server 2003 --
http://support.microsoft.com/?id=830185
273478 How to Completely Remove Exchange 2000 from Active Directory --
http://support.microsoft.com/?id=273478

After removing the org, please try to upgrade to Exchange 2003 again.

Best regards,

Terry Liu
MCSE 2K MCSA MCDBA CCNA
Microsoft Online Support Engineer

Get Secure! - <www.microsoft.com/security>
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Continue reading on narkive:

Search results for 'Error: You do not have permission to update the AD schema' (Questions and Answers)

replies

Briefly describe the Microsoft's 2000 DNS management?

started 2006-08-17 22:05:37 UTC

computer networking