A Windows domain’s Active Directory schema is a list of all directory objects and properties. Each class of object that can be generated in an Active Directory forest is defined in the schema (User, Printer, Computer, Group, Site, etc.). A formal definition for each attribute that can or should exist in an Active Directory object is also included in the schema. The AD schema reflects the catalog’s core structure and is essential to its successful operation. The AD schema is typically extended/upgraded for a variety of reasons. The most common is when you install a new domain controller with a new version of Windows Server, or when you implement an application that requires a schema extension (for products like Microsoft Exchange, Lync/Skype for Business, or SCCM).
Because new versions of Microsoft OS include new objects and properties, the domain administrator must update the Active Directory Schema to ensure that they continue to function as domain controllers. In this example, we’ll show you how to upgrade your Active Directory schema from Windows Server 2012 to Windows Server 2019.
How to Check Current AD Schema Version?
To find out the current version of the Active Directory Schema, you can use the DSQuery tool:
dsquery * cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr objectVersion
Or the following PowerShell command:
Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion
The command returns the value of the ObjectVersion attribute, which is the Active Directory Schema’s version number. The schema version in our case is 69, which corresponds to Windows Server 2012 R2.
You may also use PowerShell to determine the current AD schema version:
Import-Module ActiveDirectory Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion
The following table lists the correspondence between Windows Server versions and versions of the Active Directory Schema.
How to Upgrade AD DS Schema to Windows Server 2019?
With different versions of Windows Server (2008/R2, 2012/R2, 2016, 2019), Active Directory allows numerous domain controllers to be used within the same organisation. Each operating system has its own schema version since these versions were launched in different years and each new version offers greater capability than the previous one. As a result, if you add a new Windows Server 2019-based domain controller to an organisation with existing domain controllers running Windows Server 2012, you’ll need to upgrade your AD schema to Windows Server 2019.
The Active Directory structure in Windows Server 2019 contains only one new attribute, msDS-preferredDataLocation.
To properly install a controller running a newer Windows Server version on Windows 2008 R2 and lower, you must manually update the forest and domain schema versions. When you add a new domain controller in Windows Server 2012 and later, the schema is immediately updated.
Installing a new server running Windows Server 2019 and promoting it to a domain controller by installing the Active Directory Domain Service (AD DS) role is the simplest way to change the AD schema version from Windows Server 2012 to Windows Server 2019.
You can manually upgrade the AD schema from Windows Server 2012 to Windows Server 2019 without having to create a new DC with WS2019. You’ll need the adprep utility from the Windows Server 2016 installation disc to perform this. Go to the supportadprep directory on the Windows Server installation disc using the command prompt with administrator rights.
The adprep programme is only 64-bit since Windows Server 2008 R2.
The adprep tool must be executed on the DC with the FSMO role Schema Master to complete the forest schema change. Log on to the DC with the Infrastructure Master role to upgrade the domain schema version.
Your account must be a member of one of the following domain security groups to upgrade the AD schema successfully:
- Schema Admins;
- Enterprise Admins;
- Domain Admins, in which the Schema Master is located.
Take note of the functional levels of the forest and domain. Different modes of operation are available for domains in the AD forest (functional levels). One of the domains, for example, can run Windows 2016 while the others run Windows 2008 R2. The forest strategy can’t be any more advanced than the oldest domain’s.
Using the AD PowerShell module’s PowerShell cmdlets, you may determine the domain and forest functional levels. Use the command to get the domain functional level:
Get-ADDomain | fl Name,DomainMode
To check the AD forest functional level, run:
Get-ADForest | fl Name,ForestMode
Using the Active Directory Domains and Trusts snap-in, you can adjust the forest functional level (domain.msc). Select “Raise Forest Functional Level” from the right-click menu on the console root.
To raise the domain’s functional level, right-click on the domain root and choose “Raise Domain Functional Level.”
Attention! AD schema changes and updates are always irreversible.
To update the forest-wide schema, run the command:
After updating the forest schema, you should update the domain-wide AD schema:
Check the schema version when the command has finished. The version of the schema object should be changed to 88.
The previous DCs can then be de-provisioned and FSMO functions transferred to the new DC.
You can see the following error notice if you try to upgrade a Windows Server 2016-based domain controller to Windows Server 2019 in-place:
This domain controller’s Active Directory does not have the Windows Server 2019 ADPREP /FORESTPREP updates.
In this case, you need to manually upgrade your AD schema from version 87 to 88 using the following command:
Then in order to update your domain schema partitions, use the command:
Preparing Active Directory Shema for Exchange Server 2016
You must extend the AD schema and add custom classes and the Exchange property if you are deploying Microsoft Exchange in your organisation. You’ll need Exchange Server 2016 installation discs for this.
Go to the directory with the Exchange installation files using an elevated command prompt.
Run the following command to extend the Active Directory schema for Exchange:
Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms
If the installer could not find a domain controller with the Schema Master role, then it can be manually specified using the /DomainController parameter:
SETUP.EXE /PrepareSchema /DomainController:dc01.solutionviews.com /IAcceptExchangeServerLicenseTerms
Active Directory objects will have new properties relating to Exchange Server as a result of the schema extension method.
Now it’s time to set up Active Directory. This technique involves generating new Active Directory objects and containers that Exchange Server 2016 need. By the way, an Exchange organisation is a collection of these containers, objects, and their characteristics.
Setup.exe /PrepareAD /OrganizationName:"organization name " /IAcceptExchangeServerLicenseTerms
It remains to prepare all the domains in the forest:
Setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms