Exchange SE CU update fails with schema version mismatch on Hybrid deployment

Hi @Mason Mcgrath

Thank you for posting your question in Microsoft Q&A. 

We understand you are encountering an issue where the setup fails during the readiness check due to a schema version mismatch, even though the schema update appears successful in ADSI Edit. As my research, this issue may be related to environments where Windows Server 2025 holds the Schema Master FSMO role during Exchange Server schema extensions. In such cases, the schema update process might inadvertently introduce duplicate attribute values in the Active Directory schema. Although the /PrepareSchema step completes successfully and the correct schema version is visible in ADSI Edit, these duplicates can cause a false schema mismatch during the Cumulative Update (CU) setup readiness check. 

This behavior has been observed particularly in Exchange Server Subscription Edition (SE) installations and updates, especially in hybrid environments. 

You can refer via: Active Directory schema extension issue if you use a Windows Server 2025 schema master role | Micro…

To troubleshoot it, could you try to follow these steps: 

Verify the Schema Master Role Holder:  

On a domain controller, run:

netdom query fsmo

Or use PowerShell:

Get-ADForest | Select-Object SchemaMaster

Check the OS version of the schema master DC (use systeminfo or winver on that server). 

If it's Windows Server 2025, this is probably the issue. Transfer the schema master role to a DC running an older version (for example, Windows Server 2022 or earlier) before proceeding:  

Use ntdsutil or the Active Directory Domains and Trusts MMC snap-in to transfer the role. 

Ensure the new schema master is healthy and replication is working. 

Check for AD Replication Issues:  

Even if hybrid mail flow and OAuth are functional, subtle schema inconsistencies might exist.

Run this on your DCs to check for issues. 

repadmin /showrepl

Look in the Application event logs on DCs for issues like 8418 (schema mismatch) or 1203 (NTDS Replication warning about object replication failures due to schema mismatch). 

If duplicates or mismatches are present, they could block the CU installer despite the version looking correct. 

Retry Schema Preparation and CU Installation:  

After transferring the schema master, you could try to rerun setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms_DiagnosticDataON from the CU media on a server in the same domain and site as the new schema master. 

Wait for full AD replication (use repadmin /syncall and monitor with repadmin /replsum). 

Then attempt the CU setup again. If it still fails with a schema error, review the ExchangeSetup.log (in C:\ExchangeSetupLogs) for details, look for entries about AD validation or well-known objects. 

Please understand that our initial reply may not always immediately resolve the issue. However, with your help and more detailed information, we can work together to find a solution. 

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".      

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.