What are the Schema Extension Requirements for running Windows Server 2008 DFSR?

Ned here again. With the release of Windows Server 2008, a number of customers have asked us whether or not they need to extend the Active Directory schema in order to use the new version of Distributed File System Replication (DFSR).

The answer is, of course: it depends. :)

There are a few DFSR scenarios available in Windows Server 2008, so let’s start by talking about them. Then we’ll see what you as an administrator can decide to do in your environment.

DFSR with SYSVOL

If you want to stop using the legacy File Replication Service (FRS) to keep your SYSVOL shares in sync, you definitely need to extend the schema. This is because only Win2008 DC’s can participate in SYSVOL replication using DFSR, and in order to add Win2008 DC’s, the schema must be at 2008 level (i.e. version 44). Additionally in that scenario, you must be at a Windows Server 2008 Native Domain Functional Level. You can check the schema version of your forest by looking at the objectVersion attribute on the Schema object. You can view this with ADSIEdit or with a Dsquery command:

dsquery.exe * "CN=Schema,CN=Configuration,DC=contoso,DC=com" -scope base -attr objectversion

Here is what the versions will mean:

47 = Windows Server 2008 R2
44 = Windows Server 2008
31 = Windows Server 2003 R2
30 = Windows Server 2003
13 = Windows 2000

DFSR on member servers

Here things get a bit muddier. When we extend the schema to version 44, fifteen new DFSR-related attributes are added. Here’s a table describing them:

It turns out only two of these new attributes are actually used. The rest are reserved for the future of DFSR (and some are pretty tantalizing, aren’t they? Please don’t get your hopes up too high; there are R2 DFSR attributes that are still unused).

So by extending the schema, there are only two attributes added. What if we didn’t bother? The good news is DFSR will still work fine, replicate data, and not give you any errors or problems about these attributes. The downside is:

1. You would not be able to make full use of the ms-DFSR-DefaultCompressionExclusionFilter functionality described in KB951003.
2. You would not be able to make use of the msDFSR-ReadOnly functionality (which is only for RODC’s anyway, so no big loss if you are not using them).

And yes – Win2008 and Win2003 R2 DFSR servers will still happily replicate with each other in this scenario.

So is that it?

Of course not! There is really no compelling reason not to upgrade your schema once you have started to deploy Windows Server 2008 and Vista. If you don’t extend, you won’t get all the other interesting attributes that you might find useful. Things like Bitlocker Drive Encryption Recovery, Credential Roaming, DFS Namespace Version 2, Read-Only Domain Controllers, and the aforementioned DFSR SYSVOL support. These are really compelling features and you’ll need your schema extended to get them.

If you need to track down all the other schema changes made by Win2008, the best two references are:

• Appendix of Changes to Adprep.exe to support AD DS in Windows Server 2008 (Schema Updates)
• The MSDN Active Directory Schema section

As always, feel free to comment below. This is ASKDS after all…

(Update 6/3/09 - now includes 2008 R2 schema version. And no, there are no new Schema updates for DFSR in 2008 R2, nor do any of the reserved Schema updates described above change for R2 or start being used.)

- Ned Pyle