Every new release of Windows Server provides new schema attributes for Active Directory. If you are running earlier versions of Active Directory, such as Windows Server 2012 R2, in your environment and if you would like to use the new schema attributes that ship with Windows Server 2016, you are required to upgrade your existing schema to Windows Server 2016. This article explains the approach that you will need to follow when upgrading Active Directory schema in a production environment. While the Active Directory schema upgrade process is quite simple, a failure in the schema upgrade might cause downtime for your production environment.
Your first task is to ensure that the schema updates you are going to apply to a production environment are tested in a test environment. In a test environment, you would need a domain controller that is running Windows Server 2012 R2 and one more domain controller to ensure the schema changes can be replicated. You will be required to execute the ADPrep tool, located under the Windows Server 2016 media in \Support folder. The following commands need to be executed to upgrade the schema:
Once you have executed these commands, verify the schema in Active Directory. To ensure ADPrep /ForestPrep completed successfully, use ADSIEdit and then check the value of “Revision” attribute under ActiveDirectoryUpdate container. The value must be set to 16.
Once you have tested the schema in the test environment, you can follow a steady approach to upgrade the schema in the production environment. Note that it is important to understand that if you decide to restore Active Directory to the previous schema state, you have no option other than restoring the complete Active Directory forest. When updating the schema, an isolated environment must be created that will be used to upgrade the schema. The environment will have a single domain controller running Windows Server 2012 R2. The complete approach is highlighted below:
Step 1: Create a new Active Directory site called “Schema-Upgrade.” You will create this Active Directory in the production Active Directory.
Step 2: Move one production domain controller to the “Schema-Upgrade” AD site.
Step 3: Run KCC (Knowledge Consistency Checker) to ensure connection objects are created between the domain controller in the “Schema-Upgrade” site and domain controllers in the nearest locations. This step is required to ensure an Active Directory replication connection object has been created between domain controllers.
Step 4: Force replication to ensure a “Full Active Directory Replication Cycle” is completed.
Step 5: Remove Active Directory connection objects with other domain controllers. This is to ensure the Schema is applied only the domain controller in the “Schema-Upgrade” AD Site.
Step 6: Once the schema update is successful, verify the update by running the LDP.exe utility and performing the below steps:
Tip: The ObjectVersion attribute contains the schema version of the Active Directory forest. This attribute is modified when you upgrade the schema of the current Active Directory forest.
At this point, the schema update has been applied successfully to the domain controller running in the “Schema-Upgrade” Active Directory. You might want to execute all necessary tests to ensure new schema attributes have been populated successfully in the domain controller in the “Schema-Upgrade” site. You also need to check Systems, Active Directory and Applications Events to ensure there are no errors or warnings reported. Once you have confirmed and the results are passed for schema testing, enable the replication with other domain controllers.
While the Active Directory schema upgrade process is very simple as you would be required to run only a few commands on a domain controller, a failure in the schema upgrade process many completely take your entire Active Directory environment down and may require you to restore the Active Directory forest using the Active Directory forest restore methods.
Cipher suites are a set of algorithms you need to secure your environment, either by using SSL and TLS. Here’s…
Artificial intelligence has greatly improved modern life. But businesses must recognize that AI cyber risks exist and take appropriate measures.
CiraSync offers an enterprise solution for syncing global address list contacts and calendars to smartphones and other mobile devices. Here’s…
HIPAA is the mandatory health regulation that must be followed strictly. But if you’re an IT pro in the health-care…
An Exchange in-place upgrade would be a dream come true. But if you try it, you will find yourself trapped…
Online learning platform Thinkful just got a lesson in online dangers. The company reported a data breach that affected all…