Jaa


What are the Schema Extension Requirements for running Windows Server 2008 DFSR?

Ned here again. With the release of Windows Server 2008, a number of customers have asked us whether or not they need to extend the Active Directory schema in order to use the new version of Distributed File System Replication (DFSR).

The answer is, of course: it depends. :)

There are a few DFSR scenarios available in Windows Server 2008, so let’s start by talking about them. Then we’ll see what you as an administrator can decide to do in your environment.

DFSR with SYSVOL

If you want to stop using the legacy File Replication Service (FRS) to keep your SYSVOL shares in sync, you definitely need to extend the schema. This is because only Win2008 DC’s can participate in SYSVOL replication using DFSR, and in order to add Win2008 DC’s, the schema must be at 2008 level (i.e. version 44). Additionally in that scenario, you must be at a Windows Server 2008 Native Domain Functional Level. You can check the schema version of your forest by looking at the objectVersion attribute on the Schema object. You can view this with ADSIEdit or with a Dsquery command:

dsquery.exe * "CN=Schema,CN=Configuration,DC=contoso,DC=com" -scope base -attr objectversion

Here is what the versions will mean:

47 = Windows Server 2008 R2
44 = Windows Server 2008
31 = Windows Server 2003 R2
30 = Windows Server 2003
13 = Windows 2000

DFSR on member servers

Here things get a bit muddier. When we extend the schema to version 44, fifteen new DFSR-related attributes are added. Here’s a table describing them:

Attribute name

Status

ms-DFSR-CachePolicy

Not currently used by DFSR code

ms-DFSR-CommonStagingPath

Not currently used by DFSR code

ms-DFSR-CommonStagingSizeInMb

Not currently used by DFSR code

ms-DFSR-DefaultCompressionExclusionFilter

Used by Windows Server 2008 DFSR

ms-DFSR-DeletedPath

Not currently used by DFSR code

ms-DFSR-DeletedSizeInMb

Not currently used by DFSR code

ms-DFSR-DisablePacketPrivacy

Not currently used by DFSR code

ms-DFSR-MaxAgeInCacheInMin

Not currently used by DFSR code

ms-DFSR-MinDurationCacheInMin

Not currently used by DFSR code

ms-DFSR-OnDemandExclusionDirectoryFilter

Not currently used by DFSR code

ms-DFSR-OnDemandExclusionFileFilter

Not currently used by DFSR code

ms-DFSR-Options2

Not currently used by DFSR code

ms-DFSR-Priority

Not currently used by DFSR code

ms-DFSR-ReadOnly

Used by Windows Server 2008 DFSR

ms-DFSR-StagingCleanupTriggerInPercent

Not currently used by DFSR code

It turns out only two of these new attributes are actually used. The rest are reserved for the future of DFSR (and some are pretty tantalizing, aren’t they? Please don’t get your hopes up too high; there are R2 DFSR attributes that are still unused).

So by extending the schema, there are only two attributes added. What if we didn’t bother? The good news is DFSR will still work fine, replicate data, and not give you any errors or problems about these attributes. The downside is:

  1. You would not be able to make full use of the ms-DFSR-DefaultCompressionExclusionFilter functionality described in KB951003.
  2. You would not be able to make use of the msDFSR-ReadOnly functionality (which is only for RODC’s anyway, so no big loss if you are not using them).

And yes – Win2008 and Win2003 R2 DFSR servers will still happily replicate with each other in this scenario.

So is that it?

Of course not! There is really no compelling reason not to upgrade your schema once you have started to deploy Windows Server 2008 and Vista. If you don’t extend, you won’t get all the other interesting attributes that you might find useful. Things like Bitlocker Drive Encryption Recovery, Credential Roaming, DFS Namespace Version 2, Read-Only Domain Controllers, and the aforementioned DFSR SYSVOL support. These are really compelling features and you’ll need your schema extended to get them.

If you need to track down all the other schema changes made by Win2008, the best two references are:

As always, feel free to comment below. This is ASKDS after all…

(Update 6/3/09 - now includes 2008 R2 schema version. And no, there are no new Schema updates for DFSR in 2008 R2, nor do any of the reserved Schema updates described above change for R2 or start being used.)

- Ned Pyle

Comments

  • Anonymous
    July 03, 2008
    PingBack from http://windows2008security.com/network-security/what-are-the-schema-extension-requirements-for-running-windows/

  • Anonymous
    July 09, 2008
    The list is a little longer today because of not posting last week. Enjoy! Microsoft Advanced Windows

  • Anonymous
    September 11, 2008
    Hello, everyone Below you have a compilation of some very interesting blog posts from AskDS and Extreme

  • Anonymous
    September 12, 2008
    Check out the following posts: What is the purpose of the 'Deleted' folder in DFSR? DFSR and

  • Anonymous
    October 22, 2008
    The comment has been removed

  • Anonymous
    November 15, 2008
    The comment has been removed

  • Anonymous
    November 15, 2008
    The comment has been removed

  • Anonymous
    November 18, 2008
    The comment has been removed

  • Anonymous
    November 18, 2008
    The comment has been removed

  • Anonymous
    November 18, 2008
    Thanks again, I realised I missed the most critical piece of information from my last question! The shares that I was speaking of will actually be on the same server, so I guess what I was hoping is that there was a way to manually re-assign an individual folder target to a different site, even though they were on a server that exists in an unrelated site. Sounds dodgy, I know, and I can't see that it is possible; but I'm hoping there's a way to achieve this (or something like it)!

  • Anonymous
    November 18, 2008
    The comment has been removed

  • Anonymous
    November 19, 2008
    Yeah, thought it was a long shot... Thanks for your help!

  • Anonymous
    November 19, 2008
    We’ve been at this for over a year (since August 2007), with more than 100 posts (127 to be exact), so

  • Anonymous
    April 01, 2009
    The previous post explained the concept of a read-only replicated folder. Now, let us take a look at