Event ID 1523 — Schema Operations
Applies To: Windows Server 2008
Schema operations include the following:
- Updating the schema cache
- Updating the schema index
- Implementing schema modifications
- Maintaining schema integrity
Event Details
Product: | Windows Operating System |
ID: | 1523 |
Source: | Microsoft-Windows-ActiveDirectory_DomainService |
Version: | 6.0 |
Symbolic Name: | DIRLOG_SCHEMA_SD_CONVERSION_FAILED |
Message: | The AD_TERM schema cache load could not convert the default security descriptor on the following schema class object. Security descriptor: %1 Schema class object: %2 As a result, the schema cache load will fail. User Action Verify that the default security descriptor on the class is valid. If it is not valid, change it to a correct value. Additional Data Error value: %3 %4 |
Resolve
Ensure that the default security descriptor on the class is valid
Perform the following procedure on the computer that is logging the event to be resolved.
To perform this procedure, you must have membership in Domain Admins and Schema Admins, or you must have been delegated the appropriate authority.
To ensure that the default security descriptor on the class is valid:
- Open ADSI Edit. To open ADSI Edit, click Start. In Start Search, type ADSIEdit.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- Right-click ADSI Edit, and then click Connect to.
- In Select a well known Naming Context, click Schema. The default action of the tool is to connect to the local domain. If you want to connect to another domain or server, you can do that under Computer in the Connection Settings dialog box.
- Click OK.
- In the console tree, expand Schema.
- Click the object name CN=Schema.
- In the middle pane, a three-column list of attribute names, classes, and distinguished names appears. In the Name column, right-click the class that is named in the Event Viewer event text, and then click Properties.
- In the list of attributes that appears in the properties dialog box for the class, select the defaultSecurityDescriptor attribute, and then click Edit.
- In String Attribute Editor, ensure that there is a correctly formatted security descriptor in the Value box. For information about what constitutes a valid security descriptor, see Security Descriptor String Format (https://go.microsoft.com/fwlink/?LinkId=96260). Click OK.
- Close ADSI Edit.
- Restart the computer.
Verify
To verify that the schema is in a consistent state, complete the following procedures:
- Ensure that the domain controllers synchronize their directory data by starting Active Directory replication.
- Enable diagnostic logging for the schema.
- Update the schema cache.
- Verify that the schema was updated successfully by using Event Viewer.
To perform these procedures, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.
Start Active Directory replication
To start Active Directory replication:
- Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- Run the command **repadmin /syncall /user:**domain\user **/pw:**password. Substitute the appropriate domain name, user name, and password for domain, user, and password, respectively. The command output indicates whether synchronization started successfully.
Enable diagnostic logging for the schema
To verify a successful update of the schema, you can enable diagnostic logging for the schema. When you enable diagnostic logging, a schema update produces Event ID 1582 in the Directory Service log of Event Viewer. To enable diagnostic logging for the schema, you must edit the registry.
To enable diagnostic logging for the schema:
Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.
- Open Registry Editor. To open Registry Editor, click Start. In Start Search, type regedit, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- In the registry location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics, in the left pane, right-click the 24 DS Schema value, and then click Modify.
- Type 1 or higher (up to 5) for Value data to enable diagnostic logging for the schema. The higher the value, the more information is reported to the Directory Service log. Click OK.
Update the schema cache
To update the schema cache:
Create a file to force a schema cache update using Ldifde.exe. Create a new text file named SchemaUp (SchemaUp.txt, if you are viewing file extensions) in a folder location that is convenient for you to access.
Copy the following five lines of text and paste them as the contents of the SchemaUp.txt file.
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
After you paste the text into the file, ensure that there are no line breaks (carriage returns) between each line of text. If there are, delete the empty lines. Ensure that you have a hyphen as the last line of text in the file.
Save the file.
Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start Menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
At the command prompt, type ldif -i -f SchemaUp.txt, and then press ENTER. If necessary, type the file path to the text file that you saved. For example, if you saved the file in the Documents folder of an account named Administrator, type ldifde -i -f "c:\users\administrator\documents\schemaUp.txt", and then press ENTER.
Verify that the schema cache was updated successfully by using Event Viewer
To verify that the schema cache was updated successfully by using Event Viewer:
- Open Event Viewer. To open Event Viewer, click Start. In Start Search, type eventvwr.msc, and then press ENTER.
- Expand Applications and Services Logs, and then click Directory Service.
- Look for Event ID 1582, which confirms that the schema cache was reloaded successfully. If you do not see the event, click Find, type 1582, and then click Find Now. Event 1582 confirms that the schema cache was updated.
- Confirm that there are no Critical, Error, or Warning events that are related to the schema that occurred after the schema cache update. To locate events that are related to the schema, click Find, type DS Schema, and then click Find Next.
- Continue to click the Find Next button and review each event until you have verified that there are no Critical, Error, or Warning events that occurred after the schema cache update.
When you confirm that the schema cache was updated, you may no longer need diagnostic logging for schema events. To disable diagnostic logging for schema events, use the Reg command to set the 24 DS Schema value to 0. To set the value of 24 DS Schema to 0, at a command prompt, type the following command, and then press ENTER:
Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "24 DS Schema" /t REG_DWORD /d 0
The number after /d indicates the value, in this case, the logging level. For example, to set the logging level to 1, change /d 0 to /d 1 in the previous command.
To learn more about the Reg command syntax and options, at a command prompt, type Reg /?, and then press ENTER.