Tool diagnoses Active Directory schema problems

Tool diagnoses Active Directory schema problems

Please let others know how useful this tip is via the rating scale at the end of it. Do you have a useful Exchange or Outlook tip, timesaver or workaround to share? Submit it to our tip contest and you could win a prize.

The Active Directory schema controls what objects can be listed in AD and what their attributes can be. In a Windows domain, the server that has the schema master role performs whatever updates and modifications are needed to the schema.

A malfunctioning Active Directory schema can cause all sorts of problems for Exchange, from replication issues between servers to Exchange not working at all. An administrator not aware of possible problems with the AD schema might be

    Requires Free Membership to View

    Login

    When you register, you’ll also receive targeted alerts from my team of editorial writers and independent industry experts with the latest news, tips, and advice to help you do your job more efficiently and effectively. Our goal is to keep you informed on the hottest topics and biggest challenges faced by Exchange professionals today working with Exchange, Outlook and other related technologies.

    Margie Semilof, Editorial Director

    By submitting your registration information to SearchExchange.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchExchange.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Premium Access

Register now for unlimited access to our premium content across our network of over 70 information Technology web sites.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in September 2005

inclined to (mistakenly) blame the problem on Exchange itself.

If your domain's schema updates are not taking place or seem to be having problems, there is a utility from WinDeveloper.com that can take some of the pain out of debugging problems with schema updates. Active Directory Schema Diagnose (ADSD) runs several tests to determine whether or not the schema can be successfully updated, and also where a problem might lie if it can't.

When run, ADSD performs five tests:

  1. It gets the security context information the application itself is running under. This ensures that the user running the application is part of the Schema Admins group. If you're logged on as Administrator, this should work by default, but if something's been done to the group membership for that account, this should sniff it out.

  2. It retrieves the schema's master machine details -- the machine name, distinguished name (as listed in AD), machine object name, and what OS/service-pack level is on the machine in question. If there's a mismatch between the machine name and its distinguished name, the machine may need to have its role reset.

  3. It tests LDAP connectivity to the schema master. If the connection test fails, but the other tests so far succeed, that might indicate a network misconfiguration.

  4. It tests connectivity to the scheme master machine's registry. If this fails, check to make sure the user in question has the rights to set the "Schema Update Allowed" registry value -- either because they don't have the rights to modify the registry in general, or because that particular subkey/value has the wrong permissions set on it.

  5. It tests the access level(s) the user has on the AD schema container. This makes sure that the user has all the needed individual rights as well (i.e., the right to create object children or write object properties).

For the best results, ADSD should be run by an administrator, as running the program in a limited-privileges context may cause some of the tests to fail. (This isn't a symptom of anything wrong per se; lowered privileges just inherently cause many AD actions to fail.)

About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter,

Do you have comments on this tip? Let us know.
Related information from SearchExchange.com:

  • Learning Center: Toolbox for Exhange administrators
  • Reference Center: More Exchange Server administration tools
  • Reference Center: Active Directory and Exchange tips and resources


    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top