Overview

If you are running a Windows Server 2025 domain controller as your Windows Server Active Directory schema master and are intending to upgrade to Exchange Server SE RTM in the coming weeks, please read the following information that may save you from an issue where down-level domain controllers stop replicating after the schema update from Exchange Server SE RTM.

Thankfully, several others in the community have run into this issue recently and shared their troubleshooting experience for our benefit. The issue may arise if your Active Directory domain meets the following criteria:

• A domain controller, hosting the schema master (Flexible Single Master Operations, FSMO) role, is running Windows Server 2025
• Windows Server 2022, 2019, 2016, or 2012 R2 domain controllers are still part of the domain

‍

The Problem

When the Exchange Server SE RTM schema update is run, either an issue with the Exchange Server RTM schema update code, or an issue with the schema master role on Windows Server 2025, creates multiple, duplicate values for attributes in the schema. As soon as the schema updates are pushed to the down-level domain controllers (2022, 2019, 2016, 2012 R2), the lsass.exe process resource consumption on these domain controllers will skyrocket and domain replication will begin to fail.

If you are experiencing this issue, you will also note errors in the Directory Services log of the down-level domain controllers:

‍“The directory service could not replicate the following object from the source directory service at the following network address because of an Active Directory Domain Services schema mismatch.”

As resources on the domain controller become exhausted due to the intensive load from the lsass.exe process, authentications will fail, and the desktop will eventually become unresponsive. It seems that down-level domain controllers cannot handle multiple values for these schema attributes. Oddly enough, it appears Windows Server 2025 domain controllers CAN handle multiple values for an attribute, as they continue to replicate without issue and are unaffected. Microsoft appears to be aware of the issue, although a root cause of the duplicate values remains unidentified and thus unresolved. Regardless of whether the duplicate values are supported or not, the duplicate values shouldn't be there in the first place and is the result of some sort of bug.

‍

How to Mitigate

To prevent the issue from occurring in a mixed domain controller operating system version environment, simply move the schema master role to a non-Windows Server 2025 domain controller in advance of the Exchange Server SE RTM schema update. Complete the schema update while the schema master is on a down-level domain controller OS, then move the schema master role back to the Windows Server 2025 domain controller when the schema update is complete.

‍

How to Fix, Post-Update

If you are reading this article after performing the schema update and are seeing the issues with replication and lsass.exe on the down-level domain controllers, you can mitigate the issue by removing the multiple, duplicate values on the attributes in the schema.

WARNING: Modifying the schema manually could potentially be detrimental to your Active Directory infrastructure and in some circumstances can render the environment inoperable. It is recommended to perform any modifications to the schema under the direction of Microsoft support. Any of the guidance provided below is performed at your own risk and is not recommended in a production environment.

‍

Using the ADSIEdit tool on the schema master server, it’s possible to remove the duplicate values on the attributes with issues. A list of the duplicate value attributes has been provided by community member bpoindexter and can be found on his post here: Active Directory replication issue after installing new Exchange server - Windows -Spiceworks Community.

‍

As noted in the post above, to remove the duplicate values from the listed attributes you will first need to delete the entire value from the attribute, synchronize the domain controller, then edit the attribute value replacing with only a single instance of the original value.

When using ADSIEdit, the process may look something like this…

1. Open the attribute containing the duplicate value.
2. Edit the duplicate attribute value and copy ONE of the values.

3. Delete both values from the attribute.
4. Synchronize the domain controller.
5. Edit the attribute value again and paste in a single instance of the original value.

6. Synchronize the domain controller again.

It is a tedious, manual process that may be automated if you are savvy with ldifde. Once the duplicate values are removed from the schema almost immediately the down-level domain controllers will begin to synchronize again and the lsass.exe process resource consumption will return to normal.

The only other option for resolving after the schema update has been introduced would be to forcefully decommission the down-level domain controllers from the environment altogether.

‍

Wrap-Up

I hope this information is helpful as many organizations are working to migrate/upgrade their Exchange 2019/2016 environments to Exchange Server SE RTM ahead of Microsoft support deadlines and may already be running Windows Server 2025 as a schema master for the domain. Planning an Exchange Server migration or upgrade? Lightspire brings proven expertise and trusted support to ensure a smooth transition. Reach out to us today!

‍

‍