Active Directory Schema Update

An Active Directory Schema is a description of all directory objects and attributes in the Windows domain. The schema contains the definitions of each class of objects that can be created in an Active Directory forest (User, Printer, Computer, Group, Site, etc.). Also, the schema contains formal definitions for each attribute that can or should exist in an Active Directory object. The AD schema reflects the basic structure of the catalog and is critical for its proper functioning. Typically, the AD schema is extended/upgraded for several reasons. The most common is the implementation of an application that requires an extension of the schema (for products such as Microsoft Exchange, Lync/Skype for Business, SCCM) or when you add a new domain controller with a new version of Windows Server.

New versions of Microsoft OS contain new objects and attributes, so for their normal functioning as domain controllers, the administrator of the domain needs to update the Active Directory Schema. In this example, we will show how to update the AD schema version from Windows Server 2012 to Windows Server 2019.

How to Check Current AD Schema Version?

To find out the current version of the Active Directory Schema, you can use the DSQuery tool:

dsquery * cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr objectVersion

Or the following PowerShell command:

Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion

update ad schema

The command returns the ObjectVersion attribute value, which is the version number of the Active Directory Schema. In our example, the schema version is 69, which corresponds to Windows Server 2012 R2.

Also, you can find out the current AD schema version using PowerShell:

Import-Module ActiveDirectory

Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion

active directory schema update

The following table lists the correspondence between Windows Server versions and versions of the Active Directory Schema.

Windows Server version   AD Schema objectVersion
Windows 2000 13
Windows 2003 30
Windows 2003 R2 31
Windows 2008 44
Windows 2008 R2 47
Windows 2012 56
Windows 2012 R2 69
Windows Server 2016 87
Windows Server 2019 88
READ ALSO  Change Default OU permissions in Active Directory

How to Upgrade AD DS Schema to Windows Server 2019?

Active Directory allows using multiple domain controllers within the same organization with different versions of Windows Server (2008/R2, 2012/R2, 2016, 2019). Since these versions were released in different years, and each new version carries more functionality than the previous one, each operating system has its own schema version. Therefore, when you add a new Windows Server 2019-based domain controller to an organization where existing DCs are running Windows Server 2012, you will need to update your AD schema to the level of Windows Server 2019.

Note. The Windows Server 2019 version of the Active Directory schema has only one new attribute msDS-preferredDataLocation.

In Windows 2008 R2 and lower, to successfully add the controller running a newer Windows Server version, you have to manually update the forest and the domain schema version. In Windows Server 2012 and newer, when you add a new domain controller, the schema is updated automatically.

Therefore, the easiest way to update the AD schema version from Windows Server 2012 to Windows Server 2019 is to install a new server running Windows Server 2019 and promote it to a domain controller by installing the Active Directory Domain Service (AD DS) role.

ad schema update

You can update the AD schema from Windows Server 2012 to 2019 manually without adding a new DC with WS2019. To do this, you will need an adprep utility from the installation media with Windows Server 2016. Run the command prompt with administrator privileges and go to the support\adprep directory on the Windows Server installation disk.

cd f:\support\adprep

Note. Since Windows Server 2008 R2, the adprep utility is only 64-bit.

To perform the forest schema update, the adprep utility must be run on the DC with the FSMO role Schema Master. To upgrade the version of the domain schema, log on to the DC with the Infrastructure Master role.

READ ALSO  How to Extract Group Members from Active Directory and Export It to CSV file

To successfully upgrade the AD schema, your account must be a member of the following domain security groups:

  • Schema Admins;
  • Enterprise Admins;
  • Domain Admins, in which the Schema Master is located.

Also, note the forest and domain functional levels. Domains in the AD forest can have different modes of operation (functional levels). For example, one of the domains can work on Windows 2016 mode, and the rest in Windows 2008 R2 mode. The forest scheme can not be higher than that of the oldest domain.

You can find the domain and forest functional level using the PowerShell cmdlets from the AD PowerShell module. To get the domain functional level, use the command:

Get-ADDomain | fl Name,DomainMode

To check the AD forest functional level, run:

Get-ADForest | fl Name,ForestMode

schema update

You can change the forest functional level by using the Active Directory Domains and Trusts snap-in (domain.msc). Right click on the console root and select “Raise Forest Functional Level”.

In order to upgrade the domain functional level, right click on the domain root and select the “Raise Domain Functional Level” item.

update active directory schema

Attention! AD schema changes and updates are always irreversible.

To update the forest-wide schema, run the command:

adprep /forestprep

update schema

After updating the forest schema, you should update the domain-wide AD schema:

adprep /domainprep

how to upgrade schema version in active directory

Wait until the command completes and check the schema version. The schema object version should change to 88.

After that, you can de-provisioning the old DCs and transfer FSMO roles to the new DC.

If you are trying to perform an in-place upgrade of a Windows Server 2016-based domain controller to Windows Server 2019, you may receive the following error message:

Active Directory on this domain controller does not contain Windows Server 2019 ADPREP /FORESTPREP updates.

upgrade schema

In this case, you need to manually upgrade your AD schema from version 87 to 88 using the following command:

adprep.exe /forestprep

Then in order to update your domain schema partitions, use the command:

Adprep.exe /domainprep

You can now return to the Windows Server 2019 Upgrade Wizard and continue to upgrade your DC operating system version.

READ ALSO  Using Ntdsutil Tool to Manage Active Directory

Preparing Active Directory Shema for Exchange Server 2016

If you are deploying Microsoft Exchange in your organization, you need to extend the AD schema and add custom classes and the Exchange attribute. To do this, you need an Exchange Server 2016 installation media.

Run an elevated command prompt and go to the directory with the Exchange installation files.

To extend the Active Directory schema for Exchange, run the command:

Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms

schema upgrade

If the installer could not find a domain controller with the Schema Master role, then it can be manually specified using the /DomainController parameter:

SETUP.EXE /PrepareSchema /DomainController:dc01.theitbros.com /IAcceptExchangeServerLicenseTerms

As a result of the schema extension procedure, the Active Directory objects will have new attributes related to Exchange Server.

Now we need to prepare Active Directory. This procedure consists of creating new Active Directory objects and containers that are required for Exchange Server 2016. By the way, a set of these containers, objects, and their properties is called an Exchange organization:

Setup.exe /PrepareAD /OrganizationName:"organization name " /IAcceptExchangeServerLicenseTerms

It remains to prepare all the domains in the forest:

Setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms

Only then can you start the Exchange installation.

Cyril Kardashevsky

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.