Q. I have Microsoft Exchange 2000 Server installed and want to run the Windows Server 2003 Adprep /Forestprep command. What must I do to avoid corrupting Active Directory (AD)?
September 29, 2004
A. When Exchange 2000 is installed, it modifies the AD schema. Three of these modifications are additions of the houseIdentifier, Secretary, and labeledURI attributes for the InetOrgPerson class. However, these Exchange 2000 attributes don't adhere to Internet Engineering Task Force (IETF) Request for Comments (RFC) 2798. When the Windows 2003 Adprep /Forestprep command runs, it redefines the attributes so that they conform to RFC 2798. This renaming causes Windows to rename the existing definitions for other attributes so that they're RFC-compliant and will cause future problems for your Exchange environment. (If you installed Exchange 2000 after running Windows 2003 forestprep, these problems won't occur.)
The Microsoft article "Windows Server 2003 adprep /forestprep Command Causes Mangled Attributes in Windows 2000 Forests That Contain Exchange 2000 Servers" describes solutions to a variety of problems related to Exchange 2000 schema changes and renamed attributes. Here, I discuss the procedure for changing the attribute names so that the Windows 2003 Adprep /Forestprep process doesn't mangle the attributes. This procedure addresses the most common scenario, in which Exchange 2000 is installed and you haven't yet run the Windows 2003 Adprep /Forestprep command. Before you perform the following steps, you need to enable schema modifications, which I discuss in the FAQ "How do I allow modifications to the schema?"
Log on as a Schema Admin (the Administrator of the forest root domain has this role by default).
Paste the following text into a file named Inetorgpersonprevent.ldf in the %systemroot%IOP folder. You'll need to create the IOP folder. (You can copy and paste this text from the Microsoft article I mentioned earlier instead of typing it.)
dn: CN=ms-Exch-Assistant-Name,CN=Schema,CN=Configuration,DC=Xchangetype: Modifyreplace: lDAPDisplayNamelDAPDisplayName: msExchAssistantName-dn: CN=ms-Exch-LabeledURI,CN=Schema,CN=Configuration,DC=Xchangetype: Modifyreplace: lDAPDisplayNamelDAPDisplayName: msExchLabeledURI-dn: CN=ms-Exch-House-Identifier,CN=Schema,CN=Configuration,DC=Xchangetype: Modifyreplace: lDAPDisplayNamelDAPDisplayName: msExchHouseIdentifier-dn:changetype: Modifyadd: schemaUpdateNowschemaUpdateNow: 1-
Start a command prompt (Start, Run, cmd.exe).
Change the current folder to the IOP folder.
Run the Ldifde command (the following line shows an example):
ldifde -i -f inetorgpersonprevent.ldf -v -c DC=X "DC=SAVILLTECH,DC=COM"
The command should be on one line, and you need to replace DC=SAVILLTECH,DC=COM with the distinguished name (DN) of your forest. After you enter the command, messages similar to the following are displayed on screen:
Connecting to "OMEGA.savilltech.com"Logging in as current user using SSPIImporting directory from file "inetorgpersonprevent.ldf"Loading entries1: CN=ms-Exch-Assistant-Name,CN=Schema,CN=Configuration,DC=SAVILLTECH,DC=COMEntry modified successfully.2: CN=ms-Exch-LabeledURI,CN=Schema,CN=Configuration,DC=SAVILLTECH,DC=COMEntry modified successfully.3: CN=ms-Exch-House-Identifier,CN=Schema,CN=Configuration,DC=SAVILLTECH,DC=COMEntry modified successfully.4: (null)Entry modified successfully.4 entries modified successfully.The command has completed successfully.
You could use the ADSIEdit tool (adsiedit.msc) to check whether the attribute renaming worked--for example, the lDAPDisplayName attribute of the ms-Exch-LabeledURI class should now be renamed msExchLabeledURI instead of LabeledURI. If necessary, you can disable the schema changes that you enabled to perform this procedure.
Read more about:
MicrosoftAbout the Author
You May Also Like