In this post we are are going to upgrade Domain Controller from “Server 2016” to “Server 2019”, this is also known as in-place Upgrade. There are few Pre-requisites. You will need to run adprep /forestprep and adprep /domainprep manually. Adprep /forestprep needs to be run only once in the forest. Adprep /domainprep needs to be run once in each domain in which you have domain controllers that you are upgrading to Windows Server 2016.
As Windows Server 2022 is also out now, in-place upgrade from server 2016 to Server 2022 is also possible if you are interested doing that.
If you try to run in-place upgrade process without running adprep tool you will get following error as shown in the image:
Active Directory on this domain controller does not contain Windows Server 2019 ADPREP /FORESTPREP updates.
Before starting upgrade, lets verify current OS Version, open Windows + run and type “Winver”, this will show current OS version and build:
Verify Current AD Schema
Verify current AD schema by running Powershell (in elevated mode) and run following command:
Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion
You can see objectversion is showing as 87, which means we have “Windows Server 2016” schema, here is more information on various schema numbers:
|
AD version |
objectVersion |
|
Windows Server 2000 |
13 |
|
Windows Server 2003 |
30 |
|
Windows Server 2003 R2 |
31 |
|
Windows Server 2008 |
44 |
|
Windows Server 2008 R2 |
47 |
|
Windows Server 2012 |
56 |
|
Windows Server 2012 R2 |
69 |
|
Windows Server 2016 |
87 |
|
Windows Server 2019 |
88 |
Copy the Windows Server 2019 source to “c:Server 2019”, this source contains the adprep utility under supportadprep folder:
Open command prompt (in elevated mode) and navigate to location c:Server 2019supportadprep. Run Command “adprep.exe /forestprep“
Type C and press Enter to continue with upgrade of Schema. This will upgrade current schema version from 87 to 88.
This process creates 2 log files under c:windowsdebugadpreplogsyyyymmddhhmmss with name ADPrep.log & ldif.log.
ADPrep.log will show you successful upgrade of Schema.
ldif.log will show you attributes which has been extended to schema such as ms-PKI-DPAPIMasterKeys, ms-PKI-RoamingTimeStamp and others.
Run “Adprep.exe /domainprep” to update the domain-wide information
Lets begin with Windows Server 2019 in-place Upgrade process by navigating to c:Server 2019. Right click setup.exe and select “Run as Administrator“.
Next page will show the information whether to update , lets select “Not right now” and click on Next.
Select Image “Windows Server 2019 Datacenter (Desktop Experience)” as our current Operating System is Server 2016 Datacenter (Desktop Experience).
Under “Applicable notices and license terms”, click “Accept” to continue
Under “Choose what to keep” page, select “keep personal files and apps” to retain all files and applications and click “Next”
Under “Ready to Install” page, click on “Install” to begin the in-place upgrade process.
This process will first extract binaries under hidden folder “c:$WINDOWS.~BT“.
Once extracted, system will reboot and server upgrade process will initiate.
Once upgrade process is completed, you can login to Domain Controller. Open Windows + R and run “Winver” to show OS version. This will show OS version as 1809 (ie Server 2019) and build version as 17763.xx
Обновление контроллеров домена на месте с Windows Server 2016 до Windows Server 2019
Windows Server 2019 уже доступен для установки. По опыту я знаю, что первая функция, которую клиенты просят перенести, — это Active Directory. Поэтому я хотел попробовать обновление на месте, которое было улучшено в Windows Server 2019. Чтобы попробовать эту функцию, я обновил лес, который обрабатывается двумя контроллерами домена, работающими под управлением Windows Server 2016. Это не был процесс «щелчка и удовольствия», но Microsoft действительно улучшила обновление на месте. Давайте рассмотрим, как перенести Windows Server 2016 DC в 2019 год.
Этапы Предварительной Миграции
Во-первых, проверьте резервную копию вашего контроллера домена, прежде чем переносить его. Последовательное резервное копирование позволяет быстро выполнить откат. Этот шаг часто забывается, но он действительно важен. На следующем снимке экрана показана резервная копия контроллера домена с помощью Veeam.
Затем выполните следующий командлет, чтобы проверить, где расположены роли FSMO. Я не хочу обновлять DC, который владеет ролями FSMO. Следует отметить владельца роли schema master, так как позже мы запустим некоторый командлет adprep против этого сервера.
|
Get—ADDomain | Select—Object InfrastructureMaster, RIDMaster, PDCEmulator Get—ADForest / Select—Object DomainNamingMaster, SchemaMaster |
Затем дважды проверьте работоспособность контроллеров домена. Проверьте, что репликация работает нормально, DCs здоровы и так далее. Вы можете использовать соответствующие команды, такие как dcdiag, repadmin или Средство просмотра событий.
Для миграции (и только во время миграции) добавьте свою учетную запись Active Directory в группы администраторов предприятия и администраторов схемы. Это требуется командлетом adprep. Когда миграция будет завершена, удалите свою учетную запись из этих групп.
А теперь самое интересное. В настоящее время существует ошибка в команде adprep из сборки Windows Server 2019 17338. Для запуска adprep сертификат должен быть установлен на всех серверах. Смонтируйте ISO-файл Windows Server 2019 на машине с графическим интерфейсом пользователя. Перейдите в раздел <ISO Drive>:Supportadprep<ISO Drive>. Щелкните правой кнопкой мыши на schupgrade.cat и выберите пункт Свойства. Затем откройте вкладку цифровые подписи и нажмите кнопку подробности. Далее нажмите на кнопку Просмотреть сертификат. Нажмите на путь сертификации и выберите корневой сертификат CA (верхний). Нажмите на кнопку Просмотреть сертификат.
Сведения
нажмите кнопку
Копировать в файл
. Сохраните сертификат в выбранном вами месте.
Затем добавьте сертификат в
хранилище доверительных корневых центров сертификации
каждого контроллера домена. Я использовал MMC, потому что мои контроллеры домена установлены в Core edition. Вы также можете использовать Центр администрирования Windows или PowerShell.
Не забывайте: эта часть должна быть применена для предварительного просмотра Windows Server 2019 и должна быть решена с окончательным выпуском.
Подготовьте лес и домен
Смонтируйте ISO-файл Windows Server 2019 на владельце мастера схемы. Затем перейдите к <ISO letter>:supportadprep<ISO letter>. Выполните следующую команду:
После обновления схемы выполните следующую команду (эта команда должна выполняться на всех контроллерах домена):
Миграция Первых Контроллеров Домена
Подключитесь к контроллеру домена, который не владеет никакими ролями FSMO. Затем смонтируйте ISO-файл и запустите программу установки.exe.
Затем выберите, загружать ли обновления прямо сейчас или нет.
Затем введите ключ продукта.
Выберите нужный выпуск Windows Server 2019 (Core edition или нет).
Примите лицензионное соглашение и нажмите кнопку Далее.
Затем сохраните личные файлы и приложения для запуска обновления на месте.
Когда мастер проверит предварительные требования, он должен позволить вам обновить операционную систему.
Чтобы обновить первый DC, процесс занял почти 30 минут.
Миграция Вторых Контроллеров Домена
Теперь, когда первый DC обновлен, я собираюсь перенести роль FSMO на этот последний. Чтобы передать роль, я запускаю следующий сценарий из DC:
|
$Server = Get—ADDomainController —Identity » VMADS02″ Move—Addirectoryserver Operationmasterrole-Identity $Server —OperationMasterRole SchemaMaster,DomainNamingMaster,PDCEmulator,RIDMaster,InfrastructureMaster |
Затем установите ISO на DC и запустите программу установки.exe. Выполните ту же процедуру, что и для первого контроллера домена.
После завершения миграции вы можете снова передать роль FSMO первоначальному владельцу:
|
$Server = Get—ADDomainController —Identity » VMADS01″ Move—Addirectoryserver Operationmasterrole-Identity $Server —OperationMasterRole SchemaMaster,DomainNamingMaster,PDCEmulator,RIDMaster,InfrastructureMaster |
Не забудьте удалить свою учетную запись из групп администраторов предприятия и администраторов схемы.
функциональный уровень
В настоящее время не существует функционального уровня Windows Server 2019. В настоящее время я не знаю, планирует ли Microsoft что-нибудь для функционального уровня Windows Server 2019.
Заключение
У меня была проблема, которая помешала перенести второй контроллер домена. Если что-то мешает обновлению на месте, вы можете открыть папку c:$Windows~BTSourcesPanther. В этой папке находится файл ScanResult.xml. Когда я открыл этот файл, я увидел следующее:
Microsoft PM рассказала мне, как решить эту проблему. Чтобы устранить эту проблему, выполните следующие команды:
|
bcdedit.exe /set flightsigning on bcdedit /set {bootmgr} flightsigning on |
Затем запустите настройку.снова exe.
The post covers the steps upgrade domain controller running on Windows Server 2019 to Windows Server 2022. We will perform an in-place upgrade of a domain controller running on Windows Server.
An in-place upgrade is the solution if you want to keep the same hardware and all the server roles without flattening the server.
When you upgrade domain controller, it allows you to go from an older operating system to a newer one, while keeping your settings, server roles, and data intact.
This article can be used to perform an in-place upgrade of a domain controller running on Windows Server 2019 to Windows Server 2022.
Windows Server 2022 In-Place Upgrade Paths
When you plan to upgrade domain controller on Windows Server, it is important to check the upgrade paths. For example, when you want to do an in-place upgrade of Server 2109 to Server 2022, you first check if it’s a supported upgrade path.
I had published a guide listing all the Windows Server 2019 In-place upgrade paths. Microsoft hasn’t updated in-place upgrade paths for Windows Server 2022 yet. You don’t have to worry as upgrading a domain controller from Windows Server 2019 to Windows Server 2022 is supported.
Info – Windows Server can typically be upgraded through at least one, and sometimes even two, versions. For example, Windows Server 2016 and Windows Server 2019 can both be upgraded to Windows Server 2022.
Pre-requisites for Upgrading Domain Controller
The following list covers a few prerequisites before you upgrade domain controller from Windows Server 2019 to Windows Server 2022.
- Verify the target server meets system requirements – Most important, check the hardware requirements and confirm if your server after the upgrade can run smoothly.
- Verify Application compatibility – There is no easy shortcut for this, you have to manually test the working of applications on a test server.
- Connectivity – Check connectivity to the target server from the computer where you plan to run the in-place upgrade.
- Back up your Server before upgrade – Microsoft recommends that you back up your operating system, apps, and virtual machines before you upgrade domain controller.
- Download Windows Server 2022 – Windows Server 2022 is available for download in Microsoft Evaluation center. However, I recommend downloading the latest and a full version via Microsoft VLSC or Visual Studio subscriptions.
Check the AD Schema Version
When you plan for an in-place upgrade of a domain controller running on Windows Server, the Schema version requires an update to the latest version.
You can quickly open the PowerShell and run the following command to determine the current AD Schema version.
Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion
In a separate post, I have covered multiple methods to find the Active Directory Schema version on Windows Server. The post also lists all the AD Schema versions with objectVersion Value.
The AD Schema version of Windows Server 2022 and Windows Server 2019 is 88. So if you are upgrading the domain controller from Windows Server 2019 to Server 2022, you can skip the schema upgrade step as there are no changes with Schema version.
Run Adprep /ForestPrep
The adprep /forestprep prepares a forest for the introduction of a domain controller. You must run this command only once in the forest.
Ensure you run this command on the domain controller that holds the schema operations master role for the forest. You must be a member of all the following groups to run this command :-
- Enterprise Admins group
- Schema Admins group
- Domain Admins group of the domain that hosts the schema master
If you run the adprep /forestprep to upgrade the schema on a domain controller running Windows Server 2019, you see this.
Forest-wide information has already been updated. The Adprep did not attempt to rerun this operation – This means you don’t need to upgrade the schema as it is on latest version.
Forest-wide information has already been updated.
[Status/Consequence]
Adprep did not attempt to rerun this operation
Run Adprep /DomainPrep
You run the adprep /domainprep command after the forestprep command finishes and after the changes replicate to all the domain controllers in the forest.
If you run the adprep /domain to upgrade the schema on a domain controller running Windows Server 2019, you see this.
Domain-wide information has already been updated. The Adprep did not attempt to rerun this operation – This means you don’t need to upgrade the schema as it is on latest version.
Upgrade Domain Controller from Windows Server 2016 to Server 2022
If you are running the AD domain controller on Windows Server 2016, and you want to upgrade to Windows Server 2022, the schema version differs.
Windows Server 2016 has Schema objectVersion Value 87 whereas the schema version of Windows Server 2022 is 88. Hence, you must run the adprep.exe /forestprep to upgrade the schema to the latest version if you are upgrading from Server 2016 to Server 2019.
The adprep tool extends the Active Directory schema and updates permissions as necessary to prepare a forest and domain for a domain controller that runs the Windows Server 2016/2019 operating system.
To upgrade domain controller on Windows Server, you need the Windows Server media. Copy the Windows Server 2022 ISO media to the Windows Server and mount it.
From the Windows Server 2022 setup media, run the setup.exe as administrator.
On the Install Windows Server screen click Next.
To upgrade the operating system to Windows Server 2022, enter the product key and click Next.
On Select Image screen, select the correct operating system image. The Windows Server 2022 Datacenter (Desktop Experience) image is selected. Click Next.
For Applicable notices and license terms, click Accept.
On Choose what to keep screen, select Keep files, settings and apps. If you want to remove the settings, files and apps select Nothing. Click Next.
Note – Ideally, on a server running domain controller role, you should not install applications, especially the third-party software programs.
On Ready to install window, click Install. This begins the Windows Server domain controller upgrade.
Your server will restart several times during the upgrade. It is best to leave the server as it and let it complete the in-place upgrade.
The domain controller upgrade usually takes time to complete depending upon the size of your infrastructure. There are several factors that determine the time required to upgrade a domain controller.
After a couple of restarts, the Windows Server 2016 running the domain controller is upgraded to Windows Server 2022.
You can verify the Windows Server edition by opening About My PC. In the below screenshot, you see that the edition is Windows Server 2022 datacenter and version is 21H2.
And yes, the Windows.old folder is created on the C: drive after you perform domain controller upgrade.
Prajwal Desai is a Microsoft MVP in Enterprise Mobility. He writes articles on SCCM, Intune, Configuration Manager, Microsoft Intune, Azure, Windows Server, Windows 11, WordPress and other topics, with the goal of providing people with useful information.
- Remove From My Forums
-
Question
-
I am trying to install 2019 on a 2016 domain controller, and I am posed with
But I don’t find ADPREP.exe on the current 2016 machine, but I was able to run ADPREP.msc and found below, but not an action to update. Since I haven’t installed 2019 yet, I am not sure why I getting above. Any ideas of what to do?
But I
Answers
-
-
Edited by
Dave PatrickMVP
Sunday, April 7, 2019 10:16 PM -
Marked as answer by
AlaskanRogue
Monday, April 8, 2019 11:25 AM
-
Edited by
All replies
-
-
Edited by
Dave PatrickMVP
Sunday, April 7, 2019 10:16 PM -
Marked as answer by
AlaskanRogue
Monday, April 8, 2019 11:25 AM
-
Edited by
-
The Robert Smit blog was a great reference. Got me past the issue.
-
Glad to hear, you’re welcome.
Regards, Dave Patrick ….
Microsoft Certified Professional
Microsoft MVP [Windows Server] Datacenter ManagementDisclaimer: This posting is provided «AS IS» with no warranties or guarantees, and confers no rights.
How to upgrade ADDS Schema to W2019 level
Windows Server 2019 reached GA although the certified hardware from equipment makers is yet to come (status at early October).
This ADDS version is something different than before because there are only a few new features. It’s even more obvious where development currently resides (Azure AD). That said, the guideline for upgrade process remains the same, Detailed instructions found from this link. I wrote a blog post about the upgrade process a couple years ago and things haven’t changed since.
What’s new in ADDS Windows Server 2019? Basically nothing but at least something.
- One new attribute with an as-yet-unknown function (
ms-DS-Preferred-Data-Location) - No new functionality levels (first time in ADDS history)
- Backward compatibility should be better than ever
- Improvement of handling ADDS version store (memory buffer for handling database transactions)
What’s new in Active Directory 2019
Active Directory ESE Version Store Changes in Server 2019
Assuming that you already are familiar with the pre-requisites, options and recovery regarding update here is a guidance for the manual process.
ADDS Schema Version Numbers
| Version number | Operating System-level |
| 13 | 2000 |
| 30 | 2003 |
| 31 | 2003 R2 |
| 44 | 2008 |
| 47 | 2008 R2 |
| 56 | 2012 |
| 69 | 2012 R2 |
| 87 | 2016 |
| 88 | 2019 |
Performing ADDS Schema update
My own guidelines to perform schema update are below. If I have possibility and time to perform ADDS forest recovery to an isolated environment I select nowadays “live” option for the update. If it’s working as expected in identical restored environment it will work in production environment for sure.
Guidelines
- Perform ADDS Health Check before commit updates
- Analyze schema classes and attributes, are ther any own added classes and attributes to ADDS schema? Tool for report found from here
- Perform ADDS forest recovery to isolated environment and perform schema update first in there. It’s a good way to practice recovery process at same time and verify that you backups are working
- Disaster Recovery Plan – DRP! This is mandatory in any environment and can save your in case of disaster
Commands
ADPREP is found from installation media from supportadprep folder
In production environment I’ll either disable replication before committing changes or perform update following Microsoft best practices (via server manager installation wizard aka live option).
If live option is selected make sure that your ADDS Forest Recovery plan is up to date and you know what to do in case of a disaster. Depending of schema update changes domain controller roles needed during schema extension can be varied, more information at table below.
Change to replication can be done with repadmin tool: “repadmin /options <DC NAME> +DISABLE_OUTBOUND_REPL”
Table of adprep commands, needed permissions and FSMO roles when performing AD DS schema extension
Run forest wide preparation – adprep /forestprep command
Run domain wide prepations
- adprep /domainprep
- adprep /rodcprep (if haven’t ran earlier)
Validate preparations and remember to enable replication if it was disabled
To determine if adprep /forestprep completed successfully, you can use ADSIEdit and Event Viewer to verify the value of the “Revision” attribute of the ActiveDirectoryUpdate container.
Verify following revision attribute values from Active Directory and logs from domain controllers after Adprep commands:
- CN=ActiveDirectoryUpdate,CN=ForestUpdates,CN=Configuration,DC=ForestRootDomainobject is set to 16 (remains same than in W2016)
- CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,DC=ForestRootDomain object is set to 16 (W2016 = 15)
- CN=ActiveDirectoryRodcUpdate,CN=ForestUpdates,CN=Configuration,DC=ForestRootDomainobject is set to 2 – set when rodcprep is executed
- Enable replication: repadmin /options <DC NAME> -DISABLE_OUTBOUND_REPL (optional)
Search events 1898 and 1899 from Directory Services log to find corresponding events related to Schema update. There is only one new attribute for user, contact and group classes.
Summary
Event there aren’t basically new features or even new forest or domain levels I always recommend to update latest version to your on-premises infrastructure. Attribute which is created is ms-DS-Preferred-Data-Location which might be related to O365 Preferred Data Location feature which were published earlier in this year.
Happy promoting:)
Hi folks, this is a very quick post where I will explain the steps to upgrade Active Directory from 2012 R2 to 2019.
If you are still running 2012 R2 you will be missing out on some of the features to integrate your on-prem AD into Azure Active Directory so its definitely a requirement to take advantage of Azure AD.
The biggest things which upgrading to 2019 will bring to the table are:
- Privileged Access Management
- Enables Azure Active Directory join for Windows 10 devices
- Connecting domain-joined devices to Azure AD for Windows 10 devices
- Enables Microsoft Passport for Work
- Deprecation of FRS and 2003 Functional levels
To view more information on this then you can find more information here – https://docs.microsoft.com/en-us/windows-server/identity/whats-new-active-directory-domain-services
Upgrade the Schema
OK so lets begin the process. The first step in upgrading Active Directory is to upgrade the schema in preparation for the upgrade. You need to upgrade the schema on the forest and the domain which you are upgrading.
The first one that needs to be done is the Forest. So you need to log onto a Domain Controller that is a member of the Forest and run the following command:
adprep /forestprep
You need to confirm by typing C and then the process will begin
What is happening here is that .ldf files are being imported into the Active Directory database. These are basically changes to the database which support the new features. If you are interested you can open up these files and see what they contain.
Next we need to run the domain prep which is pretty much the same thing, but just applies to the domain specific domain controllers.
The command to run is:
adprep /domainprep
Upgrade the Operating System
Now that we have done the prep work we can begin the upgrade process. For this post I will be performing an in place upgrade since its just one domain controller on my lab.
However, in a production environment I would highly recommend building new Active Directory Controllers and then decommissioning your legacy domain controllers.
I won’t bore you with the whole upgrade bit its pretty much a next next next job
After the install has completed then log onto one of the upgrade domain controllers and run dcdiag. DCDiag is a tool used to check Active Directory and make sure that everything is working OK. If there are any problems then they need to be looked at and investigated before proceeding any further.
Upgrade Forest Functional Level
Now that we have upgraded our Domain Controllers to Server 2019 we need to upgrade the Active Directory level to 2016 to fully take advantage of the new features.
Note that EVERY domain controller in your Forest has to be upgraded to 2016 before this can be done.
Open up Active Directory Domains and Trusts, and select “Raise Forest Functional Level”
Select “Windows Server 2016” from the drop down box. Note there isn’t one for 2019 as there are no new major features for AD in 2019. Press OK to continue.
You should receive this message saying that the functional level was raised successfully.
Upgrade Domain Functional Level
To upgrade the domain functional level open up Active Directory Users and Computers (dsa.msc) and select “Raise domain functional level”
Select “Windows Server 2016” from the drop down box. Note there isn’t one for 2019 as there are no new major features for AD in 2019.
You will receive a message saying that it is not reversible, which is kind of true. I presume you have backed up your AD before doing so? If not go do it now before pressing that OK button 
If everything has gone to plan you should see this message saying the that the domain functional level was upgraded successfully.
Congrats you are now ready to do some Azure AD Integration and Azure domain joining
When upgrading a Windows server installation that’s also a Domain Controller, you may run into some issues that prevent the installation form continuing, for the duration of this post, I’ll be focusing on one specific error and that’s the ‘Active Directory on this domain controller does not contain Windows Server 2019 ADPREP /FORESTPREP updates.’ error message that completely prevents the installation from continuing.
Information:
In my particular case, I’m upgrading a Windows Server 2012 R2 installation to Windows Server 2019, and this server is also one of two domain controllers on the network. Running the Server 2019 installation media at first seems to run without an issue, but right before the installation begins, you’re greeted with:
Active Directory on this domain controller does not contain Windows Server 2019 ADPREP /FORESTPREP updates.
This is because the naming schema version is too low for the installation to proceed, see below for naming schema versions:
| Windows Server Version | Schema Version |
| Windows Server 2000 | 13 |
| Windows Server 2003 | 30 |
| Windows Server 2003 R2 | 31 |
| Windows Server 2008 | 44 |
| Windows Server 2008 R2 | 47 |
| Windows Server 2012 | 56 |
| Windows Server 2012 R2 | 69 |
| Windows Server 2016 | 87 |
| Windows Server 2019 | 88 |
To find your schema version before installation, you can run the following Powershell command:
Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion
Once the command has executed, your schema version will be displayed as ObjectVersion.
Upgrading the schema to let the Windows Server In-Place upgrade continue
The software to upgrade the schema comes with the Windows Server installation media, it is located under ‘/support/adprep’ directory of the installation media/iso.
cd I:supportadprep
I:
Then type the following command to begin the forest schema upgrade:
adprep.exe /forestprep
The action will complete and a report on its operation will be displayed within the command prompt window, in my case the schema was upgraded from version 69 (Server 2012 R2) to version 88 (Server 2019).
There is one last command to execute before windows installation can proceed, you’ll need to run the following command to update the domain wide information:
Adprep.exe /domainprep
Begin Windows Server In-Place Upgrade
You’re no free to begin the windows server in place upgrade by running the setup.exe file located within windows installation media root directory. Be sure to choose to ‘Download updates, drivers and optional features’ as this will ensure the smoothest possible installation.
That’s all!
An Active Directory Schema is a description of all directory objects and attributes in the Windows domain. The schema contains the definitions of each class of objects that can be created in an Active Directory forest (User, Printer, Computer, Group, Site, etc.). Also, the schema contains formal definitions for each attribute that can or should exist in an Active Directory object. The AD schema reflects the basic structure of the catalog and is critical for its proper functioning. Typically, the AD schema is extended/upgraded for several reasons. The most common is the implementation of an application that requires an extension of the schema (for products such as Microsoft Exchange, Lync/Skype for Business, SCCM) or when you adding a second domain controller with a new version of Windows Server.
New versions of Microsoft OS contain new objects and attributes, so for their normal functioning as domain controllers, the administrator of the domain needs to update the Active Directory Schema. In this example, we will show how to update the AD schema version from Windows Server 2012 to Windows Server 2019.
How to Check Current AD Schema Version?
To find out the current version of the Active Directory Schema, you can use the DSQuery tool:
dsquery * cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr objectVersion
Or the following PowerShell command:
Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion
The command returns the ObjectVersion attribute value, which is the version number of the Active Directory Schema. In our example, the schema version is 69, which corresponds to Windows Server 2012 R2.
Also, you can find out the current AD schema version using PowerShell:
Import-Module ActiveDirectory Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion
The following table lists the correspondence between Windows Server versions and versions of the Active Directory Schema.
| Windows Server version | AD Schema objectVersion | |
| Windows 2000 | 13 | |
| Windows 2003 | 30 | |
| Windows 2003 R2 | 31 | |
| Windows 2008 | 44 | |
| Windows 2008 R2 | 47 | |
| Windows 2012 | 56 | |
| Windows 2012 R2 | 69 | |
| Windows Server 2016 | 87 | |
| Windows Server 2019 | 88 |
How to Upgrade AD DS Schema to Windows Server 2019?
Active Directory allows using multiple domain controllers within the same organization with different versions of Windows Server (2008/R2, 2012/R2, 2016, 2019). Since these versions were released in different years, and each new version carries more functionality than the previous one, each operating system has its own schema version. Therefore, when you add a new Windows Server 2019-based domain controller to an organization where existing DCs are running Windows Server 2012, you will need to update your AD schema to the level of Windows Server 2019.
Note. The Windows Server 2019 version of the Active Directory schema has only one new attribute msDS-preferredDataLocation.
In Windows 2008 R2 and lower, to successfully add the controller running a newer Windows Server version, you have to manually update the forest and the domain schema version. In Windows Server 2012 and newer, when you add a new domain controller, the schema is updated automatically.
Therefore, the easiest way to update the AD schema version from Windows Server 2012 to Windows Server 2019 is to install a new server running Windows Server 2019 and promote it to a domain controller by installing the Active Directory Domain Service (AD DS) role.
You can update the AD schema from Windows Server 2012 to 2019 manually without adding a new DC with WS2019. To do this, you will need an adprep utility from the installation media with Windows Server 2016. Run the command prompt with administrator privileges and go to the supportadprep directory on the Windows Server installation disk.
cd f:supportadprep
Note. Since Windows Server 2008 R2, the adprep utility is only 64-bit.
To perform the forest schema update, the adprep utility must be run on the DC with the FSMO role Schema Master. To upgrade the version of the domain schema, log on to the DC with the Infrastructure Master role.
To successfully upgrade the AD schema, your account must be a member of the following Active Directory groups:
- Schema Admins;
- Enterprise Admins;
- Domain Admins, in which the Schema Master is located.
Also, note the forest and domain functional levels. Domains in the AD forest can have different modes of operation (functional levels). For example, one of the domains can work on Windows 2016 mode, and the rest in Windows 2008 R2 mode. The forest scheme can not be higher than that of the oldest domain.
You can find the domain and forest functional level using the PowerShell cmdlets from the PowerShell Active Directory module. To get the domain functional level, use the command:
Get-ADDomain | fl Name,DomainMode
To check the AD forest functional level, run:
Get-ADForest | fl Name,ForestMode
You can change the forest functional level by using the Active Directory Domains and Trusts snap-in (domain.msc). Right click on the console root and select “Raise Forest Functional Level”.
In order to upgrade the domain functional level, right click on the domain root and select the “Raise Domain Functional Level” item.
Attention! AD schema changes and updates are always irreversible.
To update the forest-wide schema, run the command:
adprep /forestprep
After updating the forest schema, you should update the domain-wide AD schema:
adprep /domainprep
Wait until the command completes and check the schema version. The schema object version should change to 88.
After that, you can de-provisioning the old DCs and transfer FSMO roles to the new DC.
If you are trying to perform an in-place upgrade of a Windows Server 2016-based domain controller to Windows Server 2019, you may receive the following error message:
Active Directory on this domain controller does not contain Windows Server 2019 ADPREP /FORESTPREP updates.
In this case, you need to manually upgrade your AD schema from version 87 to 88 using the following command:
adprep.exe /forestprep
Then in order to update your domain schema partitions, use the command:
Adprep.exe /domainprep
You can now return to the Windows Server 2019 Upgrade Wizard and continue to upgrade your DC operating system version.
Preparing Active Directory Shema for Exchange Server 2016
If you are deploying Microsoft Exchange in your organization, you need to extend the AD schema and add custom classes and the Exchange attribute. To do this, you need an Exchange Server 2016 installation media.
Run an elevated command prompt and go to the directory with the Exchange installation files.
To extend the Active Directory schema for Exchange, run the command:
Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms
If the installer could not find a domain controller with the Schema Master role, then it can be manually specified using the /DomainController parameter:
SETUP.EXE /PrepareSchema /DomainController:dc01.theitbros.com /IAcceptExchangeServerLicenseTerms
As a result of the schema extension procedure, the Active Directory objects will have new attributes related to Exchange Server.
Now we need to prepare Active Directory. This procedure consists of creating new Active Directory objects and containers that are required for Exchange Server 2016. By the way, a set of these containers, objects, and their properties is called an Exchange organization:
Setup.exe /PrepareAD /OrganizationName:"organization name " /IAcceptExchangeServerLicenseTerms
It remains to prepare all the domains in the forest:
Setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms
Only then can you start the Exchange installation.
- About
- Latest Posts
I enjoy technology and developing websites. Since 2012 I’m running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.