AD Schema updates - disable outbound replication or not

  • Last Post 20 August 2016
BrianB posted this 19 August 2016

All:   It has been my practice for years that whenever I perform schema updates I 1) disable outbound replication on the schema master, 2) perform the schema update, 3) verify the rangeupper value for whatever I am updating, 4) re-enable outbound replication, 5) verify rangeupper on remaining domain controllers. I figure that this method helps to isolate the schema master from replicating a bad schema update to all other Domain Controller. The last thing that is written is the rangeupper version number if the update was successful. If the schema update were to go badly, I can seize the roll on another DC and shutdown the bad DC and rebuild. But if the bad schema update were to replicate to all other DC’s then I have a big problem.

  There has been some discussion between me and my colleagues about disabling the outbound replication and that Microsoft advises to not do this. I have found this over at ASKDS blog site that make the statement to not disable but I am not sur eif this is the official stance of Microsoft or based upon experience.

  I would like to get your opinion on the matter since there are several of you who ARE the BOOK and have debunked some incorrect MS statements in the past. I am looking for the correct answer and will admit if I am wrong on the matter.     Brian Britt  

Order By: Standard | Newest | Votes
dloder posted this 19 August 2016

Our final production release process (well after testing in multiple lower environments) involves the creation of a site dedicated to performing the schema extension with the replication window opening several days past the scheduled extension.  Within the site would be the schema master and one other DC.  Once we were satisfied the extension was successful on both the schema master and its intrasite replication partner, we set the replication window back to 24x7 and allow the update to replicate into the rest of the environment.  If there were ever a problem we could detect (of course there never has been), the change is isolated to a controlled number of DCs that can be easily ripped from the environment.  So you get a controlled release without the "dangers" of disabling replication.-- --


PARRIS posted this 19 August 2016

The caveat to this solution though is that if anyone forces replication, the schedules are ignored, in the same way a lag site would be if used for DR purposes.



Mark Parris


Active Directory & Cloud Security Consultancy.


MVP Enterprise Mobility | MCM Directory Services

Mobile: +44 7801


E-mail: mark@xxxxxxxxxxxxxxxx 


Twitter | Blog | LinkedIn | Skype |



slavickp posted this 19 August 2016

Microsoft recommends against blocking replication because too often they have seen people forget to unblock replication. And it was Microsoft who was recommending that procedure, in the early 2000s, so they are dealing with consequences of own advice.
I apply schema changes fully online. If you have wrong schema file coming to and during execution of schema change, it is unlikely that you will realise that in a short period of schema deployment; we try to use reliable source of schema changes. Partial application of schema can be restarted. I heard about “fatal corruption” but I think it’s an urban legend - there are enough safeguards in AD.
So we keep Schema Admins empty (and don’t re-permission Schema partition), know what we do and don’t allow a notion thatbschema changes is a big deal. And yes, our change record state that there will be no rollback. I’m accountable. There is some benefit in being owner and not a consultant 😉


BrianB posted this 20 August 2016

So, is the main reason that Microsoft no longer recommends disabling outbound replication because of people forgetting to re-enable?

My process is to verify the schema update took place on multiple servers in multiple sites, so I eventually would know that somthing is not replicating if it is not updated on other DC's.

Given that we have had multple schema updates over the years for Exchange and Lync and that no problems have resulted i can understand that a track of no problems takes some worry away. But on the otherhand since you live with the schema forever,

and bad update can have some drastic effects.

So is it really a bad thing to disable outbound replication if the main reason MS does not want you to do it is so you dont forget to re-enable? Or am I missing a more pertinent issue?


Get Outlook for Android


slavickp posted this 20 August 2016

The reasons why MS recommends against it are in the AskDS blog you’ve found Brian. There is nothing more to it, really - role isolation worked for so many of us without problem, it’s a valid approach. Many things that are not tested and not specifically supported are.
My point is that there are not many scenarios for “bad update”. And those mostly fall into “idiot schema admin who doesn’t know what he’s doing” category. Which is the same condition that makes role isolation problematic.


robertsingers posted this 20 August 2016

If Active Directory is designed to have it schema updated then perhaps disabling replication is seen as a more dangerous to the environment.

In the last decade change control and risk aversion have created some quite bizarre cultures in organisations.

Get Outlook for Android


g4ugm posted this 20 August 2016

I used to work for an organization who were officially “Risk Averse” yet would not allocate sufficient funds for a proper testing environment, with the result getting changes approved was almost impossible…... and I think the risk is not forgetting to re-enable after a successful update, it’s the risk of leaving it disabled after a failed update, or indeed not having a plan for what happens when the update fails…. Dave Wade