Exchange Server SE and Active Directory Schema Duplication Bug: A Migration Story

by

When it comes to Active Directory migrations and Exchange Server upgrades, even the most carefully planned deployment can take an unexpected turn. This post explores a real-world migration scenario involving an upgrade to Windows Server 2025 Domain Controllers (DCs) and Exchange Server SE (Subscription Edition) – which unexpectedly revealed what appears to be a Microsoft Active Directory schema replication bug.

What began as a routine domain upgrade quickly escalated into a deep-dive debugging session after Exchange’s schema extension introduced duplicate multi-valued attributes in the Active Directory schema. This caused replication failures, Event ID 1203 errors, and high CPU usage (lsass.exe) on newer DCs.

If you’re managing a mixed AD environment – especially with older Windows Server 2016 or 2019 domain controllers – you’ll want to read this carefully. This bug can completely halt schema replication and disrupt hybrid Exchange operations.

The good news? There is a workaround—but it requires precision and a solid understanding of AD internals.

Common Causes, Fixes & Troubleshooting Tips - Active Directory Replication Issues

The Environment Setup

Initial Configuration

  • Domain Controllers: 6 total (all running Windows Server 2016) in a hub-and-spoke VPN topology
  • Domain Functional Level (DFL): Windows Server 2016
  • Exchange Environment: Single Exchange Server 2016 instance used for hybrid management with Exchange Online (Microsoft 365)
  • DNS Configuration:
    • Remote DCs pointed to the HQ DC as Primary DNS, loopback as Secondary
    • HQ DC pointed to a remote DC as Primary

Migration Plan

The goal was to:

  1. Deploy new Windows Server 2025 DCs (side-by-side with existing 2016 DCs).
  2. Demote and retire all legacy 2016 domain controllers.
  3. Install Exchange Server SE (Subscription Edition) on a new Windows Server 2025 VM.
  4. Extend the Active Directory schema using Setup /PrepareSchema.

Everything looked good—until step 4.

The ultimate way to do Windows Active Directory Migration across domains.

The Problem: Schema Replication Failure After Exchange SE Setup

Immediately after running the Exchange SE Schema Preparation (Setup /PrepareSchema), replication between the new 2025 DCs and older 2016 DCs started failing.

Symptoms Observed:

  • repadmin /showrepl displayed schema replication failures between DCs.
  • Event ID 1203 appeared in the Directory Service log, referencing schema update issues.
  • High CPU utilization on new DCs (via lsass.exe).
  • The schema partition became inconsistent, with Exchange-related attributes duplicated or malformed.
You may also like How to Fix SYSVOL Access & Replication Issues in Active Directory

Key Error Details:

The 1203 event indicated that duplicate multi-valued attributes (introduced during Exchange SE’s schema prep) were causing conflicts in replication metadata.

Example snippet:

Event ID: 1203
Source: NTDS Replication
Description: The local domain controller has attempted to replicate the following object but failed due to duplicate attribute definitions in the schema.

This replication break effectively froze schema updates, impacting the entire forest and halting further domain controller promotion.

Root Cause Analysis

Upon closer inspection, the issue was traced to Exchange Server SE’s updated schema files. Microsoft’s Subscription Edition (SE) introduces new Exchange hybrid attributes and updates several multi-valued schema entries.

However, in environments where older DCs (2016/2019) are still present, these schema changes appear to trigger duplicate definitions—likely due to attribute GUID mismatches or OID duplication between Exchange SE and legacy Exchange schema objects.

This creates a replication conflict that newer Windows Server 2025 DCs strictly enforce, while older ones might allow inconsistencies to persist silently.

Must Read: Active Directory Replication Issues: Common Causes, Fixes & Troubleshooting Tips

The Workaround (Advanced Fix)

While Microsoft hasn’t yet released an official hotfix or KB article as of October 2025, here’s what worked in this environment:

  1. Isolate the schema master role (FSMO) on a Windows Server 2025 DC.
  2. Export the schema using ldifde -f schema.ldf -d "CN=Schema,CN=Configuration,DC=...".
  3. Manually locate duplicate attributes (often Exchange-related, such as msExchMailboxGuid or msExchAttributeSet).
  4. Compare attribute OIDs and GUIDs—retain the newer SE versions.
  5. Clean orphaned or duplicated entries via adsiedit.msc or ldifde imports (extreme caution required).
  6. Force replication again using: repadmin /syncall /A /e /P
  7. Once replication stabilizes, demote the older DCs and complete the migration.

Note: Microsoft does not support this workaround and should only be attempted by senior AD/Exchange administrators familiar with schema editing. Always back up your system state and Active Directory before proceeding.

Key Lessons Learned

  • Always extend your schema to the latest Windows Server version.
  • Avoid running Exchange /PrepareSchema while legacy DCs are still in the replication scope.
  • Monitor Event ID 1203 and repadmin closely after schema changes.
  • lsass.exe CPU spikes often point to schema or replication metadata loops.
  • Test in a lab or isolated environment before production rollout.
Check this article for Exchange Server: A version mismatch error occurred while moving mailboxes

Conclusion

The Exchange Server SE schema duplication bug highlights how even mature platforms like Active Directory and Exchange can behave unpredictably when mixing old and new server generations.

If you’re planning a Windows Server 2025 domain controller migration or Exchange Server SE upgrade, take extra precautions during the schema extension phase.

This real-world experience underscores one key truth: always expect the unexpected when interacting with the AD schema.

Exchange Migration Tool 

Stellar Migrator for Exchange

SysTools Exchange Migration

Leave a Comment