none
Windows Server 2016 Domain/Forest Functional Level and FIM 2010 R2 RRS feed

  • Question

  • Good morning,

    This is a supported platform enquiry as we are aware that technically only 2008R2, 2012 and 2012R2 environments are supported by FIM 2010. There are plans to migrate to MIM 2016 however timeframes on this are uncertain and we are curious as to possible impact on this service in the following scenario:

     

    Environment – FIM 2010 R2 running on Windows Server 2012, running in a domain called CONNECT, running with a combination of Windows 2008 R2 and Windows 2016 domain controllers.

     

    FIM utilises an Active Directory Domain Services MA to only read information from a number of other “agency” active directories into the FIM metaverse. These ADs are currently at a variety of functional levels.

     

    This information is then written from the metaverse into the CONNECT AD using another Active Directory Domain Services MA.

     

    1. If one of the agencies replaces all of their DCs with Windows Server 2016 (or higher), will FIM continue to be able to read their data into the metaverse?

     

    2. If only Windows 2016 domain controllers remain in the CONNECT domain (with or without a functional level increase), will FIM continue to function normally?

     

    Hopefully I've provided enough information for a considered answer.

    Thanks for your time,

    Cheers, PF.

    Friday, March 22, 2019 12:15 AM

All replies

  • It will continue to work fine. 

    Thanks,
    Brian

    Consulting | Blog | AD Book

    Friday, March 22, 2019 6:19 PM
    Moderator
  • Hi Brian,

    Thanks for your advice. 

    My concern was with comments from our provider (I work for one of the "agencies" listed in the original post) who runs the CONNECT domain. When they tried to remove the last 2008R2 DC in a Test environment they noted that FIM stopped working (this was also without a Domain Functional Level to Sever 2016 upgrade). Re-adding a 2008R2 DC fixed the issue.

    The test environment is NOT indicative of production (given the scale and work required it was not really viable) and is probably more of a sandpit, so there is the potential that some misconfiguration or other issue caused this behaviour, rather than an inherent "not supported" component.

    The provider has agreed to investigate further. I'll post results in this thread further down the track however this might be some time.

    Cheers, PF

    Tuesday, March 26, 2019 11:19 PM
  • We've done some further investigation and believe that the original question may still be valid.

    Follow on testing has shown that removing the last 2008R2 or 2012R2 server from a domain (leaving 2016 DCs in place) at a 2012 Functional level breaks FIM.

    Provider has forwarded a query to Microsoft PS as per below. I'll provide further updates when we have answers.

    I have FIM 2010 R2 set to syncing with various different AD domain forests using ADMAs. One such domain (in my test environment) contains a Windows 2012 and Windows 2016 domain controller. FIM syncs with the domain with no issues, even if it is only pointing at the Windows 2016 DC.

     

    If I demote the Windows 2012 DC (and reboot the 2016 DC), FIM gives a "no-start-connection" error on a sync with that MA. It reports "Server Down (0x51)" with a "failed-connection" to the Windows 2016 DC, and a "The specified domain either does not exist or could not be contacted (1355)" error in general for the domain connection.

     

    If I promote the Windows 2012 server back to being a domain controller (and reboot the 2016 DC), FIM syncs continue as normal, even if I am only pointing the MA at the 2016 DC.

     

    Is there any way I can make this work once the Windows 2012 DC is demoted?

     

    While this is only a test environment, the concern is that in production FIM is syncing with 11 separate AD domains managed by different entities. These entities are planning upgrades to their AD functional levels in the very near future and I am concerned that it may break our connection to FIM. We have a project underway to replace FIM with MIM, but this will not be complete for quite some time.

    Cheers, PF

    Friday, April 5, 2019 12:38 AM
  • Purple, did you make any progress on this? We are going to be in a similar scenario and are curious of your results integrating FIM 2010 R2 with 2016 Domain Controllers.
    Friday, December 13, 2019 2:45 PM