locked
Extending AD Schema After Joining a Server 2008 Domain Controller RRS feed

  • Question

  • Recently, I went to work for a company that had joined a number of Server 2008 R2 domain controllers to their Server 2003 domain. The FSMO role holder is still a Server 2003 server and the schema was never extended. The following DOES NOT exist in ADSIEdit: CN=Windows2008Update,CN=ForestUpdates,CN=Configuration,DC=<Forest Root
    Domain>

    So, my question is, would extending the schema at this time, to prevent future problems, cause any damage? Is it too late to extend the schema? Or can I proceed to run adprep on the forest and domain levels.

     

    Thanks, 

    Ryan

    Monday, October 17, 2011 2:27 PM

Answers

  • Hi,

    As per your comments, I went to work for a company that had joined a number of Server 2008 R2 domain controllers to their Server 2003 domain.
    If ypou already have 2008R2 in domain that means the schema is already extended, 2003 server doesn't allow the 2008/R2 server without extending schema.

    The FSMO role holder is still a Server 2003 server.
    If you have any plan to decommission the 2003 servers the you will need to transfer the FSMO roles to 2008R2 server, make it as authoritative time server and GC otherwise its fine.

    Transfer or seize FSMO roles: http://support.microsoft.com/kb/255504
    Authoritative time server in Windows Server: http://support.microsoft.com/kb/816042

    Active Directory schema version numbers
    •Windows 2000 RTM with all Service packs = Schema version 13
    •Windows Server 2003 RTM with all Service packs = Schema version 30
    •Windows Server 2003 R2 RTM with all Service packs = Schema version 31
    •Windows Server 2008 RTM with all Service packs = Schema version 44
    •Windows Server 2008 R2 RTM with all Service packs = Schema version 47

    You can check the version in the registry:
    •Registry: HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\<Schema Version>
    •dsquery: dsquery * CN=Schema,CN=Configuration,DC=Root-Domain -Scope Base -attr objectVersion
    •ADSIEdit: open ADSIEdit and navigate to "CN=Schema,CN=Configuration,DC=domain,DC=local", right-click "Properties" and locate "objectVersion" attribute value

    Regards,
    Abhijit Waikar.
    -------------------------------
    MCSA|MCSA:Messaging|MCTS|MCITP:SA
    My Blog: http://abhijitw.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.
    • Marked as answer by Yan Li_ Friday, October 21, 2011 2:01 AM
    Monday, October 17, 2011 4:24 PM
  • Objectversion 44 is Windows 2008 not Windows 2008 R2.

    If you are planning to add Windows 2008 R2,  you need to extend the schema.

    http://social.technet.microsoft.com/wiki/contents/articles/2903.aspx#comment-9068


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+| Houston, TX
    Blogs - http://blogs.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.
    • Proposed as answer by Meinolf Weber Thursday, October 20, 2011 7:02 AM
    • Marked as answer by Yan Li_ Friday, October 21, 2011 2:01 AM
    Monday, October 17, 2011 4:36 PM
  • Okay, ran:

    dsquery * cn=schema,cn=configuration,dc=mydomain,dc=com -scope base -attr objectVersion

    And it was on version 44. So I guess it was extended.

    Thanks


    Yes, Schema ver 44 means it was extended for windows 2008. For 2008R2, schema ver is 47 and you need to extend the schema.

    In windows Server 2008 R2 media includes a 32-bit and 64-bit version of Adprep.exe. The 64-bit version runs by default. If you want
    to run one of the Adprep.exe commands on a 32-bit computer, use the 32-bit version of Adprep.exe (Adprep32.exe).

    Regards,
    Abhijit Waikar.
    -------------------------------
    MCSA|MCSA:Messaging|MCTS|MCITP:SA
    My Blog: http://abhijitw.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    • Marked as answer by Yan Li_ Friday, October 21, 2011 2:01 AM
    Tuesday, October 18, 2011 2:43 AM
  • If you see below info schema version 44 is for windows 2008 not 2008 R2, so you need to extend schema before you can add windows 2008 R2 as an DC. Adding 2008 R2 member server is not an issue in windows 2008 domain but for adding 2008 R2 as an DC you need to extend schema.

    Schema Version:

    windows 2000       —->>  13

    Windowos 2003    —->> 30

    Windows 2003 R2 —->>  31

    Windows 2008       —->> 44

    Windows 2008 R2 —->> 47


    Regards


    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com
    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    • Proposed as answer by Meinolf Weber Thursday, October 20, 2011 7:02 AM
    • Marked as answer by Yan Li_ Friday, October 21, 2011 2:01 AM
    Tuesday, October 18, 2011 4:18 AM

All replies

  • You can run below tool to verify the schema version, it has to be 47, if you can add windows 2008 R2 as an DC. If the schema is already been extended while trying to run Adprep cmd again you will receive forest has already been prepared, so it is not going to run again.

    You can also runbelow query to check schema version.

    "dsquery * cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr objectVersion"

    Below link might help you.

    Upgrade from Windows 2000/2003 to 2008/2008 R2 Domain Controllers

    http://awinish.wordpress.com/2011/03/04/upgrade-from-windows-2003-to-20082008-r2-domain-controllers/ 

     

    Regards


    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    • Marked as answer by Yan Li_ Friday, October 21, 2011 2:00 AM
    • Unmarked as answer by Yan Li_ Friday, October 21, 2011 2:01 AM
    Monday, October 17, 2011 3:09 PM
  • You won’t be able to promote Windows 2008 DC without extending the schema.

    >>> that had joined a number of Server 2008 R2 domain controllers to their Server 2003 domain

    Do you have Windows 2008 R2 DC already in Windows 2003 Domain? 

    Anyway, verify the Schema version using the following procedure and post he ObjectVersion output here.

    http://portal.sivarajan.com/2010/03/active-directory-schema-version.html

    http://portal.sivarajan.com/2011/06/verifing-adprep-domainprep-result.html


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+| Houston, TX
    Blogs - http://blogs.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.
    • Proposed as answer by Meinolf Weber Thursday, October 20, 2011 7:02 AM
    • Marked as answer by Yan Li_ Friday, October 21, 2011 2:01 AM
    • Unmarked as answer by Yan Li_ Friday, October 21, 2011 2:01 AM
    Monday, October 17, 2011 3:12 PM
  • Okay, ran:

    dsquery * cn=schema,cn=configuration,dc=mydomain,dc=com -scope base -attr objectVersion

    And it was on version 44. So I guess it was extended.

    Thanks

    Monday, October 17, 2011 4:19 PM
  • Hi,

    As per your comments, I went to work for a company that had joined a number of Server 2008 R2 domain controllers to their Server 2003 domain.
    If ypou already have 2008R2 in domain that means the schema is already extended, 2003 server doesn't allow the 2008/R2 server without extending schema.

    The FSMO role holder is still a Server 2003 server.
    If you have any plan to decommission the 2003 servers the you will need to transfer the FSMO roles to 2008R2 server, make it as authoritative time server and GC otherwise its fine.

    Transfer or seize FSMO roles: http://support.microsoft.com/kb/255504
    Authoritative time server in Windows Server: http://support.microsoft.com/kb/816042

    Active Directory schema version numbers
    •Windows 2000 RTM with all Service packs = Schema version 13
    •Windows Server 2003 RTM with all Service packs = Schema version 30
    •Windows Server 2003 R2 RTM with all Service packs = Schema version 31
    •Windows Server 2008 RTM with all Service packs = Schema version 44
    •Windows Server 2008 R2 RTM with all Service packs = Schema version 47

    You can check the version in the registry:
    •Registry: HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\<Schema Version>
    •dsquery: dsquery * CN=Schema,CN=Configuration,DC=Root-Domain -Scope Base -attr objectVersion
    •ADSIEdit: open ADSIEdit and navigate to "CN=Schema,CN=Configuration,DC=domain,DC=local", right-click "Properties" and locate "objectVersion" attribute value

    Regards,
    Abhijit Waikar.
    -------------------------------
    MCSA|MCSA:Messaging|MCTS|MCITP:SA
    My Blog: http://abhijitw.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.
    • Marked as answer by Yan Li_ Friday, October 21, 2011 2:01 AM
    Monday, October 17, 2011 4:24 PM
  • Objectversion 44 is Windows 2008 not Windows 2008 R2.

    If you are planning to add Windows 2008 R2,  you need to extend the schema.

    http://social.technet.microsoft.com/wiki/contents/articles/2903.aspx#comment-9068


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+| Houston, TX
    Blogs - http://blogs.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.
    • Proposed as answer by Meinolf Weber Thursday, October 20, 2011 7:02 AM
    • Marked as answer by Yan Li_ Friday, October 21, 2011 2:01 AM
    Monday, October 17, 2011 4:36 PM
  • Okay, ran:

    dsquery * cn=schema,cn=configuration,dc=mydomain,dc=com -scope base -attr objectVersion

    And it was on version 44. So I guess it was extended.

    Thanks


    Yes, Schema ver 44 means it was extended for windows 2008. For 2008R2, schema ver is 47 and you need to extend the schema.

    In windows Server 2008 R2 media includes a 32-bit and 64-bit version of Adprep.exe. The 64-bit version runs by default. If you want
    to run one of the Adprep.exe commands on a 32-bit computer, use the 32-bit version of Adprep.exe (Adprep32.exe).

    Regards,
    Abhijit Waikar.
    -------------------------------
    MCSA|MCSA:Messaging|MCTS|MCITP:SA
    My Blog: http://abhijitw.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    • Marked as answer by Yan Li_ Friday, October 21, 2011 2:01 AM
    Tuesday, October 18, 2011 2:43 AM
  • If you see below info schema version 44 is for windows 2008 not 2008 R2, so you need to extend schema before you can add windows 2008 R2 as an DC. Adding 2008 R2 member server is not an issue in windows 2008 domain but for adding 2008 R2 as an DC you need to extend schema.

    Schema Version:

    windows 2000       —->>  13

    Windowos 2003    —->> 30

    Windows 2003 R2 —->>  31

    Windows 2008       —->> 44

    Windows 2008 R2 —->> 47


    Regards


    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com
    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    • Proposed as answer by Meinolf Weber Thursday, October 20, 2011 7:02 AM
    • Marked as answer by Yan Li_ Friday, October 21, 2011 2:01 AM
    Tuesday, October 18, 2011 4:18 AM