locked
Windows 2008 R2 foest and domain functional level upgrade RRS feed

  • Question

  • we currently upgrading windows 2003 env. to winodws 2008 r2. we have replaced alldomain  servers with 20087 r2 sp1. only one windows 2003 sp2 dc still kept.

    actually afraid if removed last 2003 dc then what will happen

    I have following questions.

    1-if we will demote last dc,what will be the forest and domain level. Will it automatically raise the functional level

    2-Or the functional level of domain and forest will be 2003 until i changed manually?

    3- temporaraly i disconnected physical cable of the last dc of 2003and all the dcs were 2008 r2 and then problem with cisco ACS 4.0 authenticaition for vpn users. when i connect this 2k3 dc problem solved and disconnect this dc problem again. i did all 3 security policies changes as described in 2k8r2 upgrade but still same problem.

    4-what else problem can i face if upgrade the forest and domain functional level to 2k8 r2

    thanks

    faisal


    SMF
    Friday, March 25, 2011 2:57 PM

Answers

  • Hello,

    1. they will stay until you raise them manual

    2. see 1

    3. the best way to test all options without having the DC demoted. Make sure the new DCs are all GC and the FSMOs are transferred. Additional assure that all domain machines use only the new DNS servers on the NIC, stop the DNS server service on the old one after change and set it to manual so you still can see what's going on also.

    For the Cisco ACS check with CISCO support what in the configuration has to be changed.

    4. functional levels have only effect on DCs not on network or the problem with the CISCO ACS. You just can't add lower OS DCs to the domain and trust to NT4 domains are not longer possible if you use Windows server 2008 R2 functional level.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Friday, March 25, 2011 3:03 PM
  • 1- It will still the same until you raise it. There is no automatic raise of domain level.

    2- Yes. To raise domain functional level, refer to this Microsoft article:http://support.microsoft.com/kb/322692

    3- Are you sure that there is no computers / server that is still using this DC as DNS server? Are you sure that you at least one GC on 2k8 servers? 

    Make sure that each DC / DNS is pointing to itself as primary DNS server

    Make sure that each DC without DNS is using the correct internal DNS server as primary one

    Run net.exe stop netlogon & net.exe start netlogon on your DCs to make sure that you don't have missing DNS records

    Make sure that your clients/member servers are pointing to the correct internal DNS server as primary one. 

    Once done, check what happen if you make offline the 2k3 server.

    Also, check which FSMO roles is this DC holding using netdom query fsmo.

    For Cisco problems, please contact Cisco Technical Support.

    4- If you raise you domain functional level to Windows Server 2008 R2, you will not be able to add DCs with OS lower than 2008 R2. If you raise you FFL and DFL to Windows Server 2008 R2, you can use new features like AD recycle bin.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

    Friday, March 25, 2011 3:13 PM
  • For your 1st & 2nd question the answer is there is no automatic raising/changing of DFL & FFL, it has to be done manually.

    For the 3rd question, have you changed the prefererred DNS server & alternate DNS server IP in DC's as well as clients NIC to point to new server, if no that is why it is creating issue.

    For 4th question, there is no issue with windows 2008 R2 DFL/FFL there is only benefits like AD recycle bin, DFSR, branchcache(it works with win7), GPO preferences etc.

    Did all the DC's are also GC & have all the sites & subnets are properly defined & mapped to their sites & links.

    http://praetorianprefect.com/archives/2009/10/server-2008-r2-active-directory-functional-levels/

     

    Regards


    Awinish Vishwakarma| MY Blog

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Friday, March 25, 2011 3:28 PM

All replies

  • Hello,

    1. they will stay until you raise them manual

    2. see 1

    3. the best way to test all options without having the DC demoted. Make sure the new DCs are all GC and the FSMOs are transferred. Additional assure that all domain machines use only the new DNS servers on the NIC, stop the DNS server service on the old one after change and set it to manual so you still can see what's going on also.

    For the Cisco ACS check with CISCO support what in the configuration has to be changed.

    4. functional levels have only effect on DCs not on network or the problem with the CISCO ACS. You just can't add lower OS DCs to the domain and trust to NT4 domains are not longer possible if you use Windows server 2008 R2 functional level.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Friday, March 25, 2011 3:03 PM
  • 1- It will still the same until you raise it. There is no automatic raise of domain level.

    2- Yes. To raise domain functional level, refer to this Microsoft article:http://support.microsoft.com/kb/322692

    3- Are you sure that there is no computers / server that is still using this DC as DNS server? Are you sure that you at least one GC on 2k8 servers? 

    Make sure that each DC / DNS is pointing to itself as primary DNS server

    Make sure that each DC without DNS is using the correct internal DNS server as primary one

    Run net.exe stop netlogon & net.exe start netlogon on your DCs to make sure that you don't have missing DNS records

    Make sure that your clients/member servers are pointing to the correct internal DNS server as primary one. 

    Once done, check what happen if you make offline the 2k3 server.

    Also, check which FSMO roles is this DC holding using netdom query fsmo.

    For Cisco problems, please contact Cisco Technical Support.

    4- If you raise you domain functional level to Windows Server 2008 R2, you will not be able to add DCs with OS lower than 2008 R2. If you raise you FFL and DFL to Windows Server 2008 R2, you can use new features like AD recycle bin.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

    Friday, March 25, 2011 3:13 PM
  • For your 1st & 2nd question the answer is there is no automatic raising/changing of DFL & FFL, it has to be done manually.

    For the 3rd question, have you changed the prefererred DNS server & alternate DNS server IP in DC's as well as clients NIC to point to new server, if no that is why it is creating issue.

    For 4th question, there is no issue with windows 2008 R2 DFL/FFL there is only benefits like AD recycle bin, DFSR, branchcache(it works with win7), GPO preferences etc.

    Did all the DC's are also GC & have all the sites & subnets are properly defined & mapped to their sites & links.

    http://praetorianprefect.com/archives/2009/10/server-2008-r2-active-directory-functional-levels/

     

    Regards


    Awinish Vishwakarma| MY Blog

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Friday, March 25, 2011 3:28 PM
  • I just want to add one more thing...because of concerns people have raised about this process, the product team decided to placate our fears and give us the ability to roll back the forest functional level!  Honestly, this won't help you since you're coming from 2003 but, here are some additional details for those that care:

    "After you set the forest functional level to a certain value, you cannot roll back or lower the forest functional level, with one exception: when you raise the forest functional level to Windows Server 2008 R2 and if Active Directory Recycle Bin is not enabled, you have the option of rolling the forest functional level back to Windows Server 2008. You can lower the forest functional level only from Windows Server 2008 R2 to Windows Server 2008. If the forest functional level is set to Windows Server 2008 R2, it cannot be rolled back, for example, to Windows Server 2003."

    http://technet.microsoft.com/en-us/library/cc730985.aspx

    Oh, and whenever people ask me this question, I must admit I'm a bit baffled.  You've already performed the steps that would cause something to go wrong when you introduced the first 2008 R2 domain controller.  I'd be much more concerned about running adprep /forestprep (which updates the SCHEMA!!!).  When you raise the forest functional level, you're basically setting a bit in AD that says "Ok, all my domains are 2008 R2, and I'm ready to start using the new functionality of 2008 R2!".  If anything goes wrong, it would be because the 2003 server is not available, NOT because you raised the forest functional level.  Also, check out this link:

    W2K3 to W2K8 and W2K8R2 Active Directory Upgrade Considerations
    http://blogs.technet.com/b/glennl/archive/2009/08/21/w2k3-to-w2k8-active-directory-upgrade-considerations.aspx

    This is basically a list of things that could go wrong during the upgrade process...notice nothing mentions raising the forest functional level :)

    Thanks!

    Friday, March 25, 2011 4:03 PM