none
user not in schema group - how to add it

    Question

  • Hi,

    I have a single forest with two domains. First domain is win2003 and second domain added yesterday is win2012.

    forest functionality level is 2003 and domain is 2003 for the win2003 domain and domain func level is 2012 for the win2012 domain. 2-way trust was created automatically when I installed the second domain and I also test it and it works.

    I need to install a product that makes schema changes, however i only find the Schema and Enterprise groups in the AD of the first domain. The AD application that I run on the win2012 DC does not show the Schema or Enterprise groups.

    So I went ahead and added the Domain Admin group from win2012 domain into Schema/Enterprise groups that appear in the AD from the first domain.

    Now I I log on with the admin account from the win2012 domain into a win2012 domain machine and try to run schema changes, the error message is always "your account is not a member of Schema Admins".

    This relates to the MS Exchange 2013 product installation. However I think Im adding the Schema user in a wrong way.

    thanks in advance for your comments.

    Wednesday, July 17, 2013 6:41 AM

Answers

All replies

  • Hello,

    the schema master is unique in the forest and changes must be made on this DC. Then the changes are replicated to all DCs in the forest. Like you had to do when installing the first Windows server 2012 DC but the changes with adprep are run automatically and not with adprep from the command line as on earlier OS versions.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Wednesday, July 17, 2013 7:04 AM
  • Hi Meinolf,

    Well I used ADUC to create User1 on the DC that holds the schema role in Domain1

    User1 is member of Domain Admins, Schema, Enterprise Admins in Domain1

    Then I went to a member server of Domain2 (same forest) and login with Domain1\User1. While running the prerequisite checks, i get an error saying that Domain1\USer1 is not an account part of Schema o Enterprise Admins.

    So,

    I went to ADUC on Domain2 and created User2. Then using ADUC on Domain1 DC I added Domain2\USer2 to Schema, Enterprise admins groups as well as Domain1\Domain Admins.

    I then used Domain2\User2 to login to a member server in Domain2 and ran setup. Same error, not a member of Enterprise or schema admin groups.

    Maybe my child domain Domain2 is not querying properly to the Domain1\DC?

    Also, my Active Directory DNS Zones are NOT replicated at forest level, only at domain level.

    Also, If I used ADUC on Domain2 DC, and try to add a user from Domain1..ADUC wont let me select users and groups only "Contacts and Other Objects".

    How can I test properly why I have this behavior?

    thanks

    Wednesday, July 17, 2013 7:50 AM
  • Hello,

    please post the complete error message you have as Exchange has some specific requirements as shown in:

    http://technet.microsoft.com/en-us/library/ms.exch.setupreadiness.notinschemamastersite(v=exchg.150).aspx

    http://technet.microsoft.com/en-us/library/ms.exch.setupreadiness.notinschemamasterdomain(v=exchg.150).aspx

    http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.SchemaUpdateRequired.aspx


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Wednesday, July 17, 2013 8:28 AM
  • Meinolf, we decided to go with a completetly different forest approach. this saved us plenty of problems with permissions.

    thanks for your help.

    Sunday, July 21, 2013 10:52 PM