KB_160119: Failed to add Active Directory Schema during IDENTIKEY Authentication Server Upgrade5/15/2017 12:05:01 PM
During an in-place upgrade, you see the following error message during the last step of the Configuration Wizard: “Failed to add Active Directory Schema.”
The most common reason for encountering this error lies in the account being used to run the upgrade. As stated in section 11 of the IAS Installation Guide, the user needs to be a member of both the Domain Admins as well as the Schema Admins groups. If the account is only a member of the Domain Admins group, it will not have all the necessary permissions to modify the Active Directory schema.
There are two ways to address this – you can make the account that was used to log on to the server a member of both Domain and Schema Admins groups, or you can simply run the installer as a different account that is already a member of the two groups.
You can make the account that was used to log on to the server a member of the two groups by launching the Active Directory Users and Computers console and navigating to the user account in question. Then, go to the Member Of tab and click on Add…
In the example we use here, the account is already a member of the Domain Admins group, and all we need to do is make it a member of the Schema Admins group as well.
After confirming that both group memberships have been set, you can proceed with the upgrade as usual. The Update Schema step should complete with no errors. PS: the AD user must log of and log on again for the new group memberships to become effective.
On the next step in the configuration wizard, you should be able to check whether or not the schema has been fully replicated. In larger AD environments, it can take some time before the schema is replicated.
Once the AD schema has been replicated, you should see the following message:
If you have access to an account that is already a member of both Domain Admins and Schema admins groups, you can use that account to run the installer by holding down shift and right-clicking the autorun application; Select the option “Run as different user”
Applies to: IDENTIKEY Authentication Server
KB 160119– 15/05/2017
© 2017 VASCO Data Security. All rights reserved.