Identity your Active Directory

On July 2014 beyond of Brazil to provide the World Cup Soccer Champion, Windows Server 2003 will have their support finished, many customers in the world are planning to upgrade their environment to Windows Server 2008 R2 at least and others to Windows Server 2012. As PFE I helped hundred customers to migrating their Active Directory from 2003 to WS 2008 R2 without impact and no risks.

Everybody knows that you can’t promote Additional Domain Controllers running Windows Server 2008 R2 for example to AD 2003 Forest by default if you didn’t extend Schema before. But take care, now if you admin account is member of Schema Admins and Enterprise Admins and you try to promote a Windows Server 2012 as Domain Controller you can make this, like Exchange Server without extending Schema manually before, this is new in WS 2012.

The tip is, if you know the number of Schema you know which version of you Active Directory and if you already ready to promote on Active Directory newest. Basically there are five ways to discover your AD Schema Version, before I explain for you, please take a look this table below.

Schema Version OS Supported to Domain Controller
13 Windows 2000 Server
30 Windows Server 2003 and SP1
31 Windows Server 2003 R2
44 Windows Server 2008
47 Windows Server 2008 R2
56 Windows Sever 2012

First I am going to show how to discover this number using Registry, choice any Domain Controller and open REGEDIT, navigate on HKLM\System\CurrentControlSet\Services\Parameters, and look Schema Version value, this example the number was 31, if you see the table above, it means that only Domain Controllers 2003 are allowed if Domain and Forest Functional Level is set to Windows Server 2003 obviously.


Now I hope that this same number will be in other location (attributes), otherwise I’ll get frustrated, well, let’s show this.

Through ADSIEDIT, open it in an Domain Controller, don’t forget that Active Directory 2003 and higher has five partitions, Schema, Configuration, Domain, DomainDnsZones and ForestDnsZones. Connect and expand CN=Schema,CN=Configuration and clique in properties, localize objectVersion attribute and take a look value number, 31.


Through command line, it is so simple, simply run : C:\Windows\System32\SCHUPGR.EXE, observe line Current Schema Version, it is 31


Through DSQUERY command DSQUERY * CN=Schema,CN=Configuration,DC=contoso,DC=corp –Scope base –attr objectVersion


And finally, using PowerShell, Get-ADObject “CN=Schema,CN=Configuration,DC=Contoso,DC=Corp” –Properties objectversion


So now if you want to know which version you’re up and ready to promote new Domain Controllers, use the following methods above.

Enjoy and have fun !

Comments (2)

  1. Anonymous says:

    Nice write-up !

  2. Ron says:

    you are missing the NTDS key in your HKLM. Should be HKLMSystemCurrentControlSetServicesNTDSParameters