One of the first technical steps in introducing Windows Server 2025 Domain Controllers is updating the Active Directory schema. The schema acts as Active Directory’s “blueprint”, defining all object types and attributes. Each new Windows Server version that functions as a DC may introduce new attributes or object classes to support emerging features. To prepare our 2016-based AD environment to host Windows Server 2025 DCs, we must run the ADPREP utility to extend the schema.
This part focuses on safely executing ADPREP /forestprep and ADPREP /domainprep to update the schema and domain-wide information. We’ll walk through the best practices for executing these changes and how to verify success at each stage.
Understanding Schema Updates and Why ADPREP Is Required
Schema updates modify the rules of what your directory can understand. Windows Server 2025 increases the schema version to 91 (from version 87 or 88 in Server 2016/2019). These changes are embedded in .ldf files within the installation media for Server 2025. Running ADPREP ensures these changes are safely applied.
If you attempt to promote a 2025 server to a domain controller without updating the schema, the promotion process will fail due to mismatched versions. While the DC promotion wizard can automatically apply schema updates, executing ADPREP manually gives you more control, visibility, and an opportunity to handle issues proactively.
Preparation Checklist Before Running ADPREP
1. Identify the Schema Master
ADPREP must be run on the Domain Controller that holds the Schema Master FSMO role. Use the following command to confirm which DC holds the FSMO roles:
netdom query FSMO
2. Use Proper Credentials
Log in to the Schema Master using an account member of Schema Admins and Enterprise Admins. Domain Admin alone is not sufficient for schema changes.
3. Optional: Disable Outbound Replication (Safety Best Practice)
To protect your environment in case of failure, disable outbound replication temporarily on the Schema Master:
repadmin /options SchemaMasterDCName +DISABLE_OUTBOUND_REPL
This isolates the schema update to a single DC, allowing recovery if something goes wrong.
4. Mount the Windows Server 2025 ISO
Make the installation media for Windows Server 2025 accessible on the Schema Master. If it’s a VM, mount the ISO file as a virtual drive. The ADPREP utility is located at:
\support\adprep
Assuming the ISO is mounted as drive D:, the ADPREP path would be D:\support\adprep.
Running ADPREP /FORESTPREP
- Open an elevated Command Prompt on the Schema Master DC.
- Navigate to the ADPREP directory:
D: cd \support\adprep adprep.exe /forestprep #Watch the output carefully. You should see a message confirming: #Adprep successfully updated the forest-wide information. #This means the schema has been extended. You may also see the new schema version displayed (expected to be #version 91).
Verifying Schema Update
To confirm the new schema version, run the following in PowerShell:
(Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion).objectVersion
Expect to see 91 returned for Windows Server 2025.
Running ADPREP /DOMAINPREP
Now prepare the domain-wide settings. You can perform this on the Schema Master (if it’s also a DC in the domain), or on the DC that holds the Infrastructure Master FSMO role:
adprep.exe /domainprep
The output should indicate:
Adprep successfully updated the domain-wide information.
Optionally, verify the domainprep log located at:
C:\Windows\Debug\adprep\logs\domainprep.log
Re-Enable Replication and Sync Schema Changes
If you disabled outbound replication earlier, now re-enable it:
repadmin /options SchemaMasterDCName -DISABLE_OUTBOUND_REPL
(The minus sign – removes the disable flag.)
Force immediate replication across the enterprise:
repadmin /syncall /e /P
This ensures all DCs receive the updated schema.
Real-World Insight
Schema updates can feel daunting, but they’re a common and stable operation when performed correctly. Problems usually stem from skipped prerequisites, like unhealthy replication or missing permissions. By isolating the Schema Master temporarily and following a structured approach, we dramatically reduce the risk.
At this point, your AD schema is updated to Windows Server 2025. The groundwork is complete, and your environment is ready to introduce Server 2025 domain controllers—something we’ll tackle in Part 3.
Onward!
Cristal Kawula – Checkyourlogs.net
