WinDeveloper O365 Mailer FREE for 1 Year

WinDeveloper IMF Tune
WinDeveloper IMF Tune
  • Home
  • General
  • Active Directory Health Check with AD Schema Diagnose

Active Directory Health Check with AD Schema Diagnose

Alexander Zammit

Alexander Zammit Photo

A Software Development Consultant with over 20 years of experience. Many of his projects involved Exchange integrated applications, including a FAX server, a mail security product and anti-spam products.

  • Published: Aug 18, 2005
  • Category: General
  • Votes: 5.0 out of 5 - 3 Votes
Cast your Vote
Poor Excellent

Exchange extends Active Directory in order to host its configuration objects. The forestprep schema extension is what enables this integration. Today we look into this process, the type of problems we might encounter and some available troubleshooting tools.

AD Schema Diagnose

Schema Diagnose saves you from having to remember all this stuff. It conveniently verifies if these requirements are being satisfied. So let's get the application installed:

  1. Start by downloading Schema Diagnose from the application homepage.

  2. The application may be run on any machine with Window 2000 Professional and higher. Extract the downloaded executable to the machine from which the final schema extension is to be performed.

  3. Run the application and have a close look at the generated report.

Schema Diagnose produces a report broken down into a number of sections. We next go through each section and see how these map to what we discussed so far.

  1. The application runs under the security context for the current user. The first report section lists the user group membership. From here we can immediately see whether the current user is member of the Schema Admins group.

    Process Security Context

  2. Next the Schema Master is identified. The report includes the machine fully qualified name, its LDAP path, operating system, service pack and build.

    Schema Master Machine

  3. Thirdly Schema Diagnose connects to the Schema Master through LDAP. In this manner we clearly determine whether the machine is alive and accessible.

    LDAP Connectivity

  4. The next step verifies registry accessibility and the current status for the 'Schema Update Allowed' value. As we said (and as the report reminds us) this is only necessary for Windows 2000 machines.

    Registy Access Rights

  5. The final report section is an interesting bonus. Schema Diagnose directly verifies the complete set of access rights for the current user over the AD schema container. Whereas the first test enables visual inspection for the 'Schema Admins' security group, this test determines the exact access level and the set of rights the user is granted over this container.

    Schema Container Access Rights

Troubleshooting Replication Problems

When looking into replication problems, the Replication Monitor (Replmon.exe) is the tool for you. This is part of the support tools included on the Windows Installation CD. Through it you can force immediate replications, and identify machines causing replication failures. This is exactly what we need to resolve any schema replication problems.

Replmon is a very powerful feature-rich tool. For more details on how to use this tool follow the link at the References section.


AD Schema Diagnose

Replmon.exe: Active Directory Replication Monitor

User Comments - Page 1 of 1

Add New Comment...

Andrew 29 Jun 2015 08:44
My favourtie tools are DCDiag and Repadmin. Microsoft have a free tool that is very useful for check replication status. I wrote an article that i think will compliment yours on check your AD Health:
Copyright © 2005 - 2021 All rights reserved. is not affiliated with Microsoft Corporation