Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Tool diagnoses Active Directory schema problems

A malfunctioning Active Directory schema can cause all sorts of problems for Exchange Server, from replication issues between servers to Exchange not working at all. Luckily, there's a free tool called Active Directory Schema Diagnose that can determine whether or not the schema can be successfully updated, and where the problem lies if it can't.

Please let others know how useful this tip is via the rating scale at the end of it. Do you have a useful Exchange...

or Outlook tip, timesaver or workaround to share? Submit it to our tip contest and you could win a prize.


The Active Directory schema controls what objects can be listed in AD and what their attributes can be. In a Windows domain, the server that has the schema master role performs whatever updates and modifications are needed to the schema.

A malfunctioning Active Directory schema can cause all sorts of problems for Exchange, from replication issues between servers to Exchange not working at all. An administrator not aware of possible problems with the AD schema might be inclined to (mistakenly) blame the problem on Exchange itself.

If your domain's schema updates are not taking place or seem to be having problems, there is a utility from WinDeveloper.com that can take some of the pain out of debugging problems with schema updates. Active Directory Schema Diagnose (ADSD) runs several tests to determine whether or not the schema can be successfully updated, and also where a problem might lie if it can't.

When run, ADSD performs five tests:

  1. It gets the security context information the application itself is running under. This ensures that the user running the application is part of the Schema Admins group. If you're logged on as Administrator, this should work by default, but if something's been done to the group membership for that account, this should sniff it out.

  2. It retrieves the schema's master machine details -- the machine name, distinguished name (as listed in AD), machine object name, and what OS/service-pack level is on the machine in question. If there's a mismatch between the machine name and its distinguished name, the machine may need to have its role reset.

  3. It tests LDAP connectivity to the schema master. If the connection test fails, but the other tests so far succeed, that might indicate a network misconfiguration.

  4. It tests connectivity to the scheme master machine's registry. If this fails, check to make sure the user in question has the rights to set the "Schema Update Allowed" registry value -- either because they don't have the rights to modify the registry in general, or because that particular subkey/value has the wrong permissions set on it.

  5. It tests the access level(s) the user has on the AD schema container. This makes sure that the user has all the needed individual rights as well (i.e., the right to create object children or write object properties).

For the best results, ADSD should be run by an administrator, as running the program in a limited-privileges context may cause some of the tests to fail. (This isn't a symptom of anything wrong per se; lowered privileges just inherently cause many AD actions to fail.)

About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter,


Do you have comments on this tip? Let us know.
Related information from SearchExchange.com:

  • Learning Center: Toolbox for Exhange administrators
  • Reference Center: More Exchange Server administration tools
  • Reference Center: Active Directory and Exchange tips and resources



  • This was last published in September 2005

    Dig Deeper on Microsoft Exchange Server and Active Directory

    PRO+

    Content

    Find more PRO+ content and other member only offers, here.

    Start the conversation

    Send me notifications when other members comment.

    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

    Please create a username to comment.

    -ADS BY GOOGLE

    SearchWindowsServer

    SearchEnterpriseDesktop

    SearchCloudComputing

    SearchSQLServer

    Close