Working with our Windows Team counterparts we have become aware of a specific set of circumstances that might affect your on-premises Active Directory environment replication after you install a recent Exchange Server CU (Cumulative Update), such as Exchange 2019 CU15 or Exchange SE RTM.
This issue can happen ONLY if you use a Windows Server 2025 as the schema master FSMO role holder in your environment. Environments where you might use Windows Server 2025 as domain controller with other roles are not impacted.
The issue
Windows Server 2025 schema master FSMO role holder might create duplicate schema attribute values after Exchange Server CU update is installed. After this happens, your AD replication might start failing with the following Application log events:
Error 8418: The replication operation failed because of a schema mismatch between the servers involved.
Warning 1203 (NTDS Replication): The local domain controller could not replicate the following object from the source domain controller at the following network address because of an Active Directory schema mismatch.
Additionally, tools like repadmin /showrepl would show AD replication issues.
Windows Team has documented this as a known issue in KB5065426 (please see ‘Known issues in this update’).
How to prevent this problem
To not run into this issue, please ensure that you do not use a Windows Server 2025 as your schema master FSMO role holder before installing an Exchange Server CU (including Exchange SE RTM). Windows Server 2025 domain controllers can exist but should not be schema master FSMO role holders.
The solution
Windows Server team is working on a permanent fix for this issue (scheduled to be released in the following months).
If you already have this problem, the Windows Support Team has a process that will allow your AD replication to continue but a manual intervention (editing of schema) might be required. Please open a support ticket with a Windows Active Directory team if you are already impacted by this.
Nino Bilic
Microsoft
