Concerns and caveats when extending AD schema for Exchange 2010 SP3


I'd like to know if it is possible to run the Exchange Server Service Pack /PrepareDomain in the Domain controllers during the business hours without any outage ?

My plan is to do the AD preparation steps this week and then the actual SP to be deployed in the weekend for each servers.

Would that be ok to do it like that rather than doing it all in one big hit.

Any comments and suggestion would be greatly appreciated.

Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
It is best to get the system state backup from the FSMO role holder, for scheam master specifically. If you take a system state backup from a secondary DC you cannot resotre it to another DC. It has to be resotred to the DC that it was taken from. If you try and do a authoritative restore from a backup DC you may run into issues.

As stated this might be overkill but just want to point the details out.

Your change should be fine.

Sudhir BidyeConnect With a Mentor Commented:
Running Exchange 2010 Sp3 setup will itself prepare the active directory for the Exchange 2010 sp3. It takes around 15 to 25 mins for the Exchange 2010 sp3 setup to prepare the active directory.
Once you install Exchange 2010 sp3 on any one of the servers in your environment it will prepare the AD and then for the next servers the setup will skip the AD preparation step.

Coming back to your original question of preparing AD during business hours, (Although I wont recommend it running in business hours as I wont like to deal with any unexpected issues affecting business), preparing AD should not cause harm unless you already have issues in your AD/Exchange environment.

You can check for below points before you prepare the Ad.
-Dcdiag is clean and not reporting any critical errors.
-Ensure you have your AD replication working fine.
-Run Exbpa for all servers and check if it reports any AD or permissions related issues.

Last but not the least, if the setup takes only 15-25 mins to prepare the AD, why take the risk of running it in business hours :)
Simon Butler (Sembee)Connect With a Mentor ConsultantCommented:
It can be run in business hours, as it doesn't make any changes that require a reboot or operationally modify the platform.
However I only tend to prep the domain separately in a multiple site/domain environment, so that the change has time to replicate around the network. For single server/site environments I don't bother, just let setup.exe do the work for me.

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks for the reply and clarification. My environment is just single domain in a forest.

The reason I run the PrepareDomain in the Schema Master DC is that to repair the missing Microsoft Exchange Security Group that caused my SP3 installation to failed.

Hopefully by running that during the business hours it doesn't affect the email flow.
Senior IT System EngineerIT ProfessionalAuthor Commented:

Thank you for the reply.
So by running the from my Schema Master DC it can automatically detect and repair the missing the default built in exchange server AD security ?
Sudhir BidyeCommented:
Below Article will tell you the list of things preparead will do and list of items it will create.
Senior IT System EngineerIT ProfessionalAuthor Commented:
Yes it seems that it will recreate the AD security group by running the /PrepareDomain switch.

Hopefully it doesn't screw up the current exchange server settings :-/
VB ITSConnect With a Mentor Specialist ConsultantCommented:
Look at using the /PrepareAD switch instead of the /PrepareDomain switch.

This document outlines the actual changes that get made to the schema when installing SP3:

With that being said. running /prepareAD may recreate the missing Exchange security group(s) but if it doesn't you can try the steps in this article:

I haven't personally tried the steps in this article myself so, as always, make sure you have proper backups before making any major changes to your environment.
Senior IT System EngineerIT ProfessionalAuthor Commented:
Hi VB,

Last weekend when I tried with /PrepareAD command it was failed complaining that the security group exist:

$RoleActiveDirectorySplitPermissions" was run: "Active Directory operation failed on The object 'OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=com' already exists.".
[12/22/2014 22:12:15.0127] [1] [ERROR] Active Directory operation failed on The object 'OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=com' already exists.
[12/22/2014 22:12:15.0127] [1] [ERROR] The object exists.
[12/22/2014 22:12:15.0127] [1] [ERROR-REFERENCE] Id=443949901 Component=

Open in new window

VB ITSSpecialist ConsultantCommented:
In that case you can try /PrepareDomain but I suspect you'll probably run into the same issue. There shouldn't be any issues running the /PrepareDomain switch during business hours as per Simon's comment above.
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
As some experts have already stated running schema extend during production hours should be fine. I personally, as a best practice would run it off business hours due to the impact if something goes wrong. Althought Microsoft has almost made schema updates bulletproof things can still happen and I personally would rather do changes like this off hours so incase something does go wrong you are not impacting the business and you don't have to work under so much pressure to get services back up.

Also if you are trying to save time by doing this change during production hours why take the risk, schema changes only take minutes to complete so you won't be saving too much time on the weekend before you actually install the service packs.

Somethings to consider before doing schema changes
- test in a lab environment (if possible take a VM of your Exchange/AD environment and test)
- make sure you have a system state backup of your ntds.dit database (make sure that the backup admin is avialable)

Some might think this is overkill but when you are working with AD you don't want anything to go wrong.

"Ounce of prevention is a pound of cure!"

Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks Will,
So yes I'll take the system state backup from one of my DC to backup the NTDS.DIT file.
Senior IT System EngineerIT ProfessionalAuthor Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.