Pages

Fixing Schema Attributes from a damaged Exchange 2010 SchemaPrep

Recently I ran into quite a large issue of trying to fix event ID 1851 from Directory Service. The error that it kept stating was

The AttributeID value for the following attribute duplicates the AttributeID value for the following existing attribute.
 
Attribute:
msDS-GeoCoordinatesAltitude1 (8ceffc83, 90887)
Existing attribute:
msDS-GeoCoordinatesAltitude (90887, 90887)
 
Both attributes are considered deactivated (as if the isDefunct attribute value were TRUE). The condition will resolve itself after the schema directory partition has replicated successfully.
 
User Action
If this event continues to occur, initiate a replication cycle with all replication partners of the local directory service. If the condition persists, deactivate one of the above classes by setting the isDefunct value to TRUE.

image

Here is what I tried to do to fix the issue.

1. Fired up ADSIEdit and went to the Schema Configuration. From there, I found the attribute twice. Once was called msDS-GeoCoordinatesAltitude and the other was the same name, but appended to it was a GUID ID. Example:

image

2. I selected my bad object, in this case the GUID one. From there, I attempted to set the value of “isDefunct” from Not Set to True. When I did so, I got a nice error:

image

3. I thought, ok, so I need to take some permissions of the attribute first. I went and took ownership of the object, but got a nasty Access is Denied error. So that solution did not work.

4. I opened up a support case with Microsoft. First we worked on the issue for over 2 weeks via online method and they were unable to resolve it. I then opened a phone call support case. We spent about 3 1/2 hours on the phone and were not able to resolve. I was told, you must restore your Active Directory System state to a old backup. In this case, that was not going to fly because this object had been sitting on the server since 2013, and there was no backup prior to that date. I needed to figure out how to fix this. Here is what I did to resolve.

 

1. First I searched for the attribute ms-DS-GeoCoordinates-Altitude via google. I needed to know what Classes it was associated to. If you don’t know much about Active Directory and Schema, I suggest doing some reading on how Classes And Attributes relate. https://technet.microsoft.com/en-us/library/cc961753.aspx is a good start. The reason I could not change this setting is because of the maycontain list. In this case, the relationship to the attribute ms-DS-GeoCoordinates-Altitude  is directly related to the classes Mail-Recipient . Using google, I found this at https://msdn.microsoft.com/en-us/library/hh446582(v=vs.85).aspx 

image

2. Now that I know the classes it is used in, I need to remove the attribute from the class.  Following a completely irrelivant article from Microsoft at https://support.microsoft.com/en-us/kb/887426 I used this as my somewhat guide to help me fix this. First I opened up MMC and added the Active Directory Schema.

3. From there, I selected the Classes called MailRecipient. Example:

image

 

4. Select the Properties of it, and then go to the Attributes Tab. Once there, I selected in the Optional: section my attribute ms-DS-GeoCoordinates-Altitude. I then selected Remove. 

One thing to note, I did not see the BAD attribute called ms-DS-GeoCoordinates-AltitudeCNF:5975a11a-a52c-461e-ab43-3e0497314812 listed here.  I am unsure why that is.

image

5. Now I hit OK and closed out of this. 

6. Back in ADSIEdit, I selected the attribute ms-DS-GeoCoordinates-AltitudeCNF:5975a11a-a52c-461e-ab43-3e0497314812 . I then took ownership of the attribute and applied it. I then modified the security of the user “Schema Admins” and selected Full Control.

7. On the Attribute Editor tab, I selected the Attribute called isDefunct. I changed this from Not Set to TRUE.

image

8. This time when I hit OK, I got no nasty error. This was great progress. I can see in the event log it is now deactivated:

image

9. This is a good thing. The attribute is now deactivated. The next thing to do is add the other attribute back to our class.

10. Back in our Active Directory Schema MMC, I selected my Class called MailRecipient and selected Properties. Then select the Attributes TAB.

 

image

11. Select the Add button and find the attribute that we removed in step 4. Now add it back to the class.

image

 

12. Hit OK, and then OK again. In my console, I got an error that the MMC crashed. Rather odd. I closed it down and re-opened it.

13. I verified that the attributes are now associated with the class. Here is my screenshot.

image

14. I verified in the event log that my object is now disabled. I restarted the Active Directory Domain Services Service and checked the event log to confirm it is now working.

 

I hope this helps someone else in a bind on trying to fix this issue.

Lyle Epstein Las Vegas Kortek Solutions

Comments are closed.