Exchange 2016: Prepare Active Directory
This blog is a walk through process of updating schema, active directory and domains for Exchange 2016. The same steps can be used for any cumulative update or any current Exchange server version.
PrepareSchema
Disable the replication on the schema master domain controller
repadmin /options SchemaMasterDCName +DISABLE_OUTBOUND_REPL
repadmin /options SchemaMasterDCName +DISABLE_INBOUND_REPL
Verification:
Open Even Viewer and check directory services logs for the event id 1115 and 1113.
Install RSAT AD tools using Windows PowerShell to run AD update and preparation commands from Exchange 2016 server:
Install-windowsFeature RSAT-ADDS
If you have already installed in from GUI then you will see below Exit code and Feature Result.
Run Exchange 2016 Schema Update
.\setup.exe /Prepareschema /IacceptExchangeServerLicenseTerms
Restart the DC once schema update completes.
Testing the DC working with the following tools
-Run Dcdiag, replication test will fail which is know because we have disabled replication
-Open mmc and connect to schema and review it is opening nicely
-Open ADUC and see if you can access the AD objects
Run the command to check the schema level.
dsquery * CN=ms-Exch-Schema-Version-Pt,cn=schema,cn=configuration,dc=<Domain>,dc=<local> -scope base -attr rangeUpper
Example: dsquery * CN=ms-Exch-Schema-Version-Pt,cn=schema,cn=configuration,dc=mig2016,dc=com -scope base -attr rangeUpper
Now verify at Microsoft TechNet link here.
If the result is healthy then Enable the replication on the schema master domain controller, then enable the replication by running the following commands:
repadmin /options SchemaMasterDCName -DISABLE_OUTBOUND_REPL
repadmin /options SchemaMasterDCName -DISABLE_INBOUND_REPL
AD replication and verification:
-Open Active Directory Site and services and force the replication.
-Wait for the replication to complete.
-Open the command prompt and run the following commands to sync all domain controllers
repadmin /syncall /force
-Open the command prompt and run the following commands to review the replication and any failed or error.
repadmin /replsum
repadmin /showrepl
Dcdiag /v
If you find the domain controller has got corrupted the active directory database, then continue to disable the replication and report a bug at Microsoft. Once issue has been reported.
Once Microsoft collects all the reports, format this domain controller and seize the FSMO roles on the other domain controller. Now wait for Microsoft’s resolution or revised version of Exchange.
Remember you can’t revert FSMO seizing.
Verification:
Open Even Viewer and check directory services logs for the event id 1114 and 1116
AD schema update has completed.
PrepareAD
Important note: No Exchange Server 2013 roles have been detected in this topology. After this operation, you will not be able to install any Exchange Server 2013 roles.
In my setup there is Exchange 2010 and no Exchange 2013 so Exchange AD preparation is informing that Exchange 2013 can’t be installed after we run this command.
If you have any plan or application compatibility requirement to install Exchange 2013 then make sure to do it before starting Exchange 2016 schema update.
Run the following Exchange 2016 Active directory Preparation command:
.\setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms /OrganizationName:orgname
PrepareAD has completed here.
PrepareDomain
In a multi-domain active directory forest, we can either run /preparedomain to update one domain at a time or use /preparealldomains to update all domains in one go.
Run the following Exchange 2016 Domain Preparation command:
.\setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms
Domain Preparation has completed here.
We can again test and run the Active Directory health checks.
This completes Exchange 2016 Active Directory Preparation.
Microsoft MVP | Exchange Server
Team@MSExchangeGuru
October 10th, 2015 at 3:55 am
[…] Preparing Active Directory for Exchange 2016. Check the blog here. […]
October 10th, 2015 at 10:35 am
You mentioned restarting the DC after schema update… I have never done that. What is the reason behind that recommendation?
October 10th, 2015 at 2:23 pm
I would recommend a restart to see if restart break any thing. You don’t wish to break your AD forest and do forest recovery. ????
December 26th, 2015 at 6:51 pm
[…] the steps mentioned in the blog here to prepare your active directory. This blog was originally written for Exchange 2016 but active […]
December 28th, 2015 at 6:53 am
Sir,
Can i install exchange server 2016 on Window Server 2012 R2 Standard which already ruining Active Directory on It.
Regards,
Rahul Salve.
December 28th, 2015 at 7:35 am
It will work. You can do it in your lab but it is neither recommended nor supported in Production
June 21st, 2016 at 5:05 pm
When we went to Exch 2010, we only did the schema extension at the forest root and not at the child domains. We are about to go to Exch 2016. As we have some mailboxes in a couple of our child domains, can we do the /preparealldomains if some of the child domains didn’t get extended to 2010? Thanks for your reply.
June 23rd, 2016 at 4:31 pm
There is only one schema master DC in the whole forest which exist in the root domain so we just need to update this DC. So you are fine with it.
Next 2 commands are required after this.
Required at the root domain – .\setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms /OrganizationName:orgname
Then you have 2 choice
Either run this in every domain – .\setup.exe /PrepareDomain /IAcceptExchangeServerLicenseTerms
or
Run this command at the root domain to update all domain -.\setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms
I hope it clarifies any doubt.
July 7th, 2016 at 3:42 pm
You Run Exchange 2016 Schema Update: .\setup.exe /Prepareschema /IacceptExchangeServerLicenseTerms on the DC of from another machine?
Can you excute the procedure within service window without affecting users?
Regards
July 7th, 2016 at 3:55 pm
You can run the command from any server, DC or Exchange or Management server. You server should have prerequisite installed.
Yes this will not impact anything but I recommend to run post business hours.
December 1st, 2016 at 11:52 am
Thanks Prabhat, this is a really good guide, the best I could find after a lot of searching. I used these to update our Schema today.
After doing our upgrade I noticed this post which stated MS no longer support/advocate turning off replication to/from the Schema Master
https://blogs.technet.microsoft.com/samdrey/2011/09/12/active-directory-schema-upgrade-procedure-with-back-out-plan/
All went well for me but I did see an Event log entry referencing a connection being made to a GC when I had teh replication link down. After I reenabled the replication a number of the site links were rebuilt by the KCC.
Also wondering if its overkill to disable replication when doing setup /PrepAD
Thanks,
Michael
December 9th, 2016 at 3:59 am
Disabling replication was suggested to one of my premiere customer in Australia by Microsoft where the customer was following a practice of isolating a schema master.
Many organization’s security policies do not allow to update schema without isolating domain controller and if you remove the network cable or disable NIC then some of the prechecks will not complete.
I don’t see any harm in disabling replication of schema master during schema update. You can permanently remove this DC from the network if schema update corrupts the active directory.
I would respectfully ignore the blog shared by this Microsoft PFE because there is no reasoning provided.
January 19th, 2017 at 9:40 am
Hi Prabhat, Thanks for the nice article. This is what exactly I was looking for.
I have one question. Does the server where schema update is run needs to be in the same AD site as the Schema master? Thanks, Srini
January 21st, 2017 at 3:44 am
Yes