Active Directory Schema Configuration

Upgrading Active Directory Schema

An Active Directory Schema is a description of all directory objects and attributes of the Windows domain. The AD schema reflects the basic structure of the catalog and is critical for its proper functioning. Typically, the AD schema is extended/upgraded for several reasons, the most common of which in many organizations is the implementation of an application that requires an extension of the schema (Exchange, Lync, SCCM) or when you add a new domain controller with a new version of Windows Server.

New versions of Microsoft OS contain new objects and attributes, so for their normal functioning as domain controllers, the administrator of the domain needs to update the Active Directory Schema. In this example, we will show you how to upgrade the AD schema version from Windows Server 2012 to Windows Server 2016.

To find out the current version of the Active Directory Schema, you can use the DSQuery utility:

dsquery * cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr objectVersion

Or the following PowerShell command:

Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion

Active Directory Schema

The result of the command is to get the ObjectVersion attribute, which is the version number of the Active Directory Schema. In our example, the schema version is 69, which corresponds to Windows Server 2012 R2.

The following table lists the correspondence between Windows Server versions and versions of the Active Directory Schema.

Windows Server OS   AD Schema Version
Windows 2000 13
Windows 2003 30
Windows 2003 R2 31
Windows 2008 44
Windows 2008 R2 47
Windows 2012 56
Windows 2012 R2 69
Windows Server 2016 87

Active Directory allows to use multiple domain controllers within the same organization with different versions of Windows OS (Windows Server 2008/R2, Windows Server 2012/R2, Windows Server 2016. Since these versions were released in different years, and each new version carries more functionality than the previous one, each operating system has its own schema version. Therefore, when you add a new Windows Server 2016-based controller to an organization where existing controllers are built on Windows Server 2012, you will need to update your organization’s AD schema to the level of Windows Server 2016.

In Windows 2008 R2 and lower, to successfully add the controller running a newer version of the OS – you have to manually update the forest and the domain schema version. In Windows Server 2012 and later, when you add a new domain controller, the schema is automatically updated.

Therefore, the easiest way to update the AD schema version from Windows Server 2012 to Windows Server 2016 is to install a new server with Windows Server 2016 and promote it to a domain controller by installing Active Directory Domain Service (AD DS) role.

upgrade Active Directory Schema

You can update the AD schema from Windows Server 2012 to 2016 manually without adding a new DC with WS2016. To do this, you will need an adprep utility on the installation media with Windows Server 2016. Run the command prompt with administrator privileges and go to the \support\adprep directory on the Windows Server installation disk.

cd f:\support\adprep

Note. Since Windows Server 2008 R2, the adprep utility is only 64-bit.

To perform the forest schema update, the adprep utility must be run on the DC with the FSMO role Schema Master. And to update the domain schema on the DC with the Infrastructure Master role.

To successfully upgrade the AD schema, your account must be in the following domain groups:

  • Schema Admins;
  • Enterprise Admins;
  • Domain Admins, in which the Schema Master is located.

Also pay attention to the modes of operation of the forest and domain. Domains in the AD forest can have different modes of operation, for example one of the domains can work on Windows 2016 mode, and the rest in Windows 2008 R2 mode. The forest scheme can not be higher than that of the oldest domain.

To update the forest-wide schema, run the command:

adprep /forestprep

After updating the forest schema, you should update the domain-wide schema:

adprep /domainprep

domainprep Active Directory Schema

Wait until the command completes and check the schema version, the schema object version should change to 87.

After that, you can de-provisioning the old DCs and transfer FSMO roles to the new DC.

You may also like:

AD Account Keeps Locking Out Sometimes there are situations when AD account keeps locking out, this happen when you try to log on to a domain computer and getting an error on the ...
Installing Active Directory Users and Computers MM... One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). The ADUC snap-in is used to p...
Store BitLocker Recovery Keys using Active Directo... In a domain network, you can store the BitLocker recovery keys for encrypted drives in the Active Directory Domain Services (AD DS). This is one of th...
How to transfer FSMO Roles From a Failed Domain Co... In case domain controller, which owns FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic ha...
FSMO Role: Infrastructure Master We continue the series of articles about FSMO roles in the Active Directory domain. This time, we will take a closer look at the FSMO role — Infrastru...

Add Your Comment