Changing system-only attributes in Active Directory
A long time ago someone made some schema extensions to a client's Active Directory in an attempt to support *nix and OS X workstations. When it came time to upgrade the AD to Windows Server 2003, the old extensions were incompatible with the schema changes required for the upgrade. Running "adprep /forestprep" reported errors like:
----------------------
"isSingleValued" attribute value for objects defined in Windows 2000 schema and extended schema do not match.
A previous schema extension has defined the attribute value as "TRUE" for object "CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=domain,DC=com" differently than the schema extension needed for Windows 2003 server .
[Status/Consequence]
Adprep cannot extend your existing schema
[User Action]
Contact the vendor of the application that previously extended the schema to resolve the inconsistency. Then run adprep again.
----------------------
We followed the instructions in the MS KB article at http://support.microsoft.com/kb/887426/en-us to try to fix the problem, but we got hung up because the isSingleValued and attributeSyntax attributes of the x500uniqueIdentifier object could not be modified. When we tried, used the ldifde or ADSIedit.msc tools, we got an error: "The attribute cannot be modified because it is owned by the system."
I won't bore you with the details, but in this case the solution was to create a registry key that allows you to change system-only attributes:
In HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters, create the following value:
Value name: Allow System Only Change
Data type: REG_DWORD
Value data: 1
Once we created that, we were able to change the attributes without trouble and run "adprep /forestprep" successfully. We hope that this post saves someone else some trouble!
