Blog Post

Exchange Team Blog
2 MIN READ

Active Directory schema extension issue if you use a Windows Server 2025 schema master role

Nino_Bilic's avatar
Nino_Bilic
Icon for Microsoft rankMicrosoft
Oct 09, 2025

Working with our Windows Team counterparts we have become aware of a specific set of circumstances that might affect your on-premises Active Directory environment replication after you install a recent Exchange Server CU (Cumulative Update), such as Exchange 2019 CU15 or Exchange SE RTM.

This issue can happen ONLY if you use a Windows Server 2025 as the schema master FSMO role holder in your environment. Environments where you might use Windows Server 2025 as domain controller with other roles are not impacted.

The issue

Windows Server 2025 schema master FSMO role holder might create duplicate schema attribute values after Exchange Server CU update is installed. After this happens, your AD replication might start failing with the following Application log events:

Error 8418: The replication operation failed because of a schema mismatch between the servers involved.

Warning 1203 (NTDS Replication): The local domain controller could not replicate the following object from the source domain controller at the following network address because of an Active Directory schema mismatch.

Additionally, tools like repadmin /showrepl would show AD replication issues.

Windows Team has documented this as a known issue in KB5065426 (please see ‘Known issues in this update​​​​​​​’).

How to prevent this problem

To not run into this issue, please ensure that you do not use a Windows Server 2025 as your schema master FSMO role holder before installing an Exchange Server CU (including Exchange SE RTM). Windows Server 2025 domain controllers can exist but should not be schema master FSMO role holders.

The solution

Windows Server team is working on a permanent fix for this issue (scheduled to be released in the following months).

If you already have this problem, the Windows Support Team has a process that will allow your AD replication to continue but a manual intervention (editing of schema) might be required. Please open a support ticket with a Windows Active Directory team if you are already impacted by this.

Nino Bilic

Published Oct 09, 2025
Version 1.0
announcements
directory
on premises
setup
tips 'n tricks
troubleshooting

9 Comments

  • banimostafa's avatar
    banimostafa
    Copper Contributor
    Oct 13, 2025

    The Workaround

    While Microsoft hasn’t yet released an official hotfix or KB article as of October 2025, here’s what worked in this environment:

    1- Isolate the schema master role (FSMO) on a Windows Server 2025 DC.
    2- Export the schema using ldifde -f schema.ldf -d "CN=Schema,CN=Configuration,DC=...".
    3- Manually locate duplicate attributes (often Exchange-related, such as msExchMailboxGuid or msExchAttributeSet).
    4- Compare attribute OIDs and GUIDs—retain the newer SE versions.
    5- Clean orphaned or duplicated entries via adsiedit.msc or ldifde imports (extreme caution required).
    6- Force replication again using: repadmin /syncall /A /e /P
    7- Once replication stabilizes, demote the older DCs and complete the migration.

  • Kenneth650's avatar
    Kenneth650
    Copper Contributor
    Oct 13, 2025

    Hi,

    First, thank you for informing us. Sadly enough, this is highly inconvenient for us. Recently we introduced for many of our Customers 2025 DC's because we had to deal with strong certificate mapping. 
    Thinking about it though, it generally should not be too much of an issue to temporarily borrow another server to promote it to DC and do this.
    Still, it would be much appreciated if we could be provided publicly with the script support has to clean up duplicates in the schema. It would save me (and others) the hassle should we encounter the issue. 

  • bbzome's avatar
    bbzome
    Brass Contributor
    Oct 10, 2025

    Well... i've upgrade to Exchange SE and later upgraded DC's to 2025.
    I'm not running into AD replication issues (yet), but i'm stuck because AD and Forest functional levels were upgrade to 2025.
    What happens if SE CU1 comes out before Windows fix?

  • JS2022's avatar
    JS2022
    Copper Contributor
    Oct 10, 2025

    We are migrating from a 2019CU15/WS2022 to SE/WS2025 on a "WS2025 only" domain (ie. all DCs are 2025), and we are not having this issue. When SE was being installed we were simultaneously in the process of removing the last WS2022 DC and we are not sure if SE was installed before or after the FMSO role was transfered to a 2025 server but in any case we are not seeing any replication errors in the logs. If all seems to be OK, is there are a chance they may show up in the future or are we in the clear?

  • toddnelson-work's avatar
    toddnelson-work
    Brass Contributor
    Oct 09, 2025

    Nino_Bilic​, what is the recommendation if all DCs are 2025 and we are working toward transitioning to SE given that EOL support is 14 Oct 2025?  Do we just proceed with the transition and open a ticket with support?  Or will there be another path like extending 2019 support?

    • Nino_Bilic's avatar
      Nino_Bilic
      Icon for Microsoft rankMicrosoft
      Oct 09, 2025

      Install a single DC (let's say WS 2022) and make it a schema master. Install Exchange SE. Once all is done, you can remove that DC (after transferring the role to a WS 2025 DC). The fix for this should be out by end of calendar year when the problem will stop existing at all. My recommendation would be to NOT just run setup and open a ticket, because your AD replication might break. Exchange CU/Hu updates are not an issue; only the CU setup makes changes to schema.

      There is no change to end of life for E2016/E2019, still less than a week away.

      • BethanyReuter's avatar
        BethanyReuter
        Copper Contributor
        Oct 11, 2025

        I'm in same situation with Domain Controllers already being Windows Server 2025 and was planning to upgrade Exchange 2019 CU14 to SE this weekend.  Spun up a new Windows server 2022 like you mentioned and installed Active Directory. When promoting to a DC, I received this message.  So is it possible to put a 2022 DC into a 2025 Environment?

        The operation failed because:

        The functional level of the forest is incompatible with this operating system.

        "The version of the operating system is incompatible with the current AD DS forest functional level or AD LDS Configuration Set functional level. You must upgrade to a new version of the operating system before this server can become an AD DS Domain Controller or add an AD LDS Instance in this AD DS Forest or AD LDS Configuration Set."

        This error can occur if you have not been granted necessary permissions to read data in the directory.

        Any advice is appreciated!