[German]Quick note to administrators who use Windows Server 2025 as a domain controller (DC). I have been informed that there is a bug when using the schema master role. The bug may lead to duplicate entries, which causes a schema mismatch error on other domain controllers. The issue is already being addressed.
Schema Master Role (FSMO)
Domain controllers can be assigned several FSMO roles, as Microsoft explains here. One of these roles is the schema master. The schema defines the class templates for Active Directory objects such as users, computers, or resources, as well as the attributes that can be assigned to individual objects.
The schema master domain controller controls all updates and changes to the schema. The Schema Master is responsible when the Active Directory schema needs to be changed, i.e., when additional object classes and attributes need to be added to the schema. This is the case, for example, when installing an Exchange Server for the first time, which adds Exchange-specific attributes such as the home server and mailbox name for each user. The schema master must be available for the changes to be made
To update the schema of a forest, administrators must have access to the schema master of the domain controller (DC). There can only be one schema master in the entire forest.
A bug in the Schema Master
A German blog reader contacted me via Facebook in a private message and asked if I was aware that there is currently a bug with the Schema Master role in Windows Server 2025. I had to say no – and upon further inquiry, I received some information (thank you for that).
The reader wrote that the issue is relatively new and not yet very public (as far as I know, there is only the forum discussion linked below). However, he left me a brief description of the problem: If an administrator running Windows Server 2025 as a domain controller (DC) also runs the Schema Master (FSMO), problems can arise due to a bug.
The bug causes the schema master to generate duplicate entries in the schema under certain circumstances. This causes Active Directory (AD) replication with other DCs to fail, resulting in a schema mismatch error.
An error description in the Spaceworks Community
The reader pointed me to the post Active Directory replication issue after installing new Exchange server from August 2, 2025, in the Spaceworks Community, where the problem is apparently being discussed for the first time. There, they migrated from Windows Server 2016 to Windows Server 2025 as DC. When they later tried to add Exchange Server SE to the domain, problems arose.
When an attempt was made to downgrade the old Windows Server 2016 DC at headquarters in order to initiate decommissioning, a schema conflict was reported. A superficial investigation revealed that this prevented replication from the new domain controller with Windows Server 2025 at headquarters to the domain controllers with Windows Server 2016. Replication to the other DCs with Windows Server 2025 works perfectly.
These replication errors occurred literally within a minute of starting the Exchange installation. One of the errors in the event log, error 1203, listed a specific AD object that was preventing replication, again due to a schema incompatibility. Other administrators confirmed this error pattern – further details can be found in the discussion thread.
After I dropped a link to my German blog post at Facebook, numerous administrators responded to my post on Facebook saying they had no problems. But there was one response: "Yes, I went through that. Windows Server 2016 migration to Windows Server 2025. After three days, everything was broken and there was no going back. After Microsoft Support was unable to help, I redid everything and installed Server 2022."
Manual workaround: Delete duplicates
To my knowledge, Microsoft is aware of the issue and is already working on a fix. Until then, the only solution is a manual workaround, which involves manually deleting the duplicate entries in the schema.
Addendum: Microsoft has confirmed the issue, see Windows Server 2025: Bug in DC with schema master role confirmed
