Considerations when upgrading Active Directory schema to Windows Server 2016

Every new release of Windows Server provides new schema attributes for Active Directory. If you are running earlier versions of Active Directory, such as Windows Server 2012 R2, in your environment and if you would like to use the new schema attributes that ship with Windows Server 2016, you are required to upgrade your existing schema to Windows Server 2016. This article explains the approach that you will need to follow when upgrading Active Directory schema in a production environment. While the Active Directory schema upgrade process is quite simple, a failure in the schema upgrade might cause downtime for your production environment.

Test schema updates in test environment

Your first task is to ensure that the schema updates you are going to apply to a production environment are tested in a test environment. In a test environment, you would need a domain controller that is running Windows Server 2012 R2 and one more domain controller to ensure the schema changes can be replicated. You will be required to execute the ADPrep tool, located under the Windows Server 2016 media in \Support folder. The following commands need to be executed to upgrade the schema:

  • ADPrep /ForestPrep: Use this command to run a forest-wide schema update operation.
  • ADPrep /DomainPrep: Use this command to run a domain-wide schema update operation.

Once you have executed these commands, verify the schema in Active Directory. To ensure ADPrep /ForestPrep completed successfully, use ADSIEdit and then check the value of “Revision” attribute under ActiveDirectoryUpdate container. The value must be set to 16.

Active Directory schema upgrade approach for a production AD forest

Once you have tested the schema in the test environment, you can follow a steady approach to upgrade the schema in the production environment. Note that it is important to understand that if you decide to restore Active Directory to the previous schema state, you have no option other than restoring the complete Active Directory forest. When updating the schema, an isolated environment must be created that will be used to upgrade the schema. The environment will have a single domain controller running Windows Server 2012 R2. The complete approach is highlighted below:

Step 1: Create a new Active Directory site called “Schema-Upgrade.” You will create this Active Directory in the production Active Directory.

Step 2: Move one production domain controller to the “Schema-Upgrade” AD site.

Step 3: Run KCC (Knowledge Consistency Checker) to ensure connection objects are created between the domain controller in the “Schema-Upgrade” site and domain controllers in the nearest locations. This step is required to ensure an Active Directory replication connection object has been created between domain controllers.

Step 4: Force replication to ensure a “Full Active Directory Replication Cycle” is completed.

Step 5: Remove Active Directory connection objects with other domain controllers. This is to ensure the Schema is applied only the domain controller in the “Schema-Upgrade” AD Site.

Step 6: Once the schema update is successful, verify the update by running the LDP.exe utility and performing the below steps:

  1. Run LDP.exe tool, go to Connection and then click on Bind.
  2. Click Ok. Next click on View, Tree, and then select the following LDAP path from the dropdown list: CN=Schema,CN=Configuration,DC=<DomainName>,DC=<Com>
  3. Click OK to run the LDP query against the above LDAP path.
  4. In the right pane, check objectVersion: 87 attribute. If it is 87, admin ADPrep command successfully extended the schema.

Tip: The ObjectVersion attribute contains the schema version of the Active Directory forest. This attribute is modified when you upgrade the schema of the current Active Directory forest.

At this point, the schema update has been applied successfully to the domain controller running in the “Schema-Upgrade” Active Directory. You might want to execute all necessary tests to ensure new schema attributes have been populated successfully in the domain controller in the “Schema-Upgrade” site. You also need to check Systems, Active Directory and Applications Events to ensure there are no errors or warnings reported. Once you have confirmed and the results are passed for schema testing, enable the replication with other domain controllers.

It’s simple — but be careful

While the Active Directory schema upgrade process is very simple as you would be required to run only a few commands on a domain controller, a failure in the schema upgrade process many completely take your entire Active Directory environment down and may require you to restore the Active Directory forest using the Active Directory forest restore methods.

Nirmal Sharma

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites.

Published by
Nirmal Sharma

Recent Posts

Locking down your Exchange server with cipher suites

Cipher suites are a set of algorithms you need to secure your environment, either by using SSL and TLS. Here’s…

3 hours ago

AI cyber risks: What to look out for when deploying AI technology

Artificial intelligence has greatly improved modern life. But businesses must recognize that AI cyber risks exist and take appropriate measures.

19 hours ago

Review: Office 365 synchronizing and administration tool CiraSync

CiraSync offers an enterprise solution for syncing global address list contacts and calendars to smartphones and other mobile devices. Here’s…

24 hours ago

HIPAA IT compliance: Privacy and security rules you must know

HIPAA is the mandatory health regulation that must be followed strictly. But if you’re an IT pro in the health-care…

1 day ago

Exchange in-place upgrade? Sorry, folks, just say no!

An Exchange in-place upgrade would be a dream come true. But if you try it, you will find yourself trapped…

2 days ago

Thinkful educational website experiences data breach

Online learning platform Thinkful just got a lesson in online dangers. The company reported a data breach that affected all…

2 days ago