locked
Questions on Trust between Windows 2003 and Windows 2012 R2 RRS feed

  • Question

  • Hi Experts,

    One of our customer raised the below question:

    Environment:

    Forest A - Forest functional level - Windows 2003

    Forest B - Forest functional level - Windows 2003

    Two way trust in place.

    Requirement:

    Customer wants to upgrade both the forests to Windows 2012 R2 forest functional level.

    Question:

    1. What are the best practices?

    2. Is it good to keep the trust until both the forests are upgraded to Windows 2012 R2?

    Please help.  Many thanks.



    • Edited by SBHV Wednesday, August 17, 2016 11:35 AM
    Wednesday, August 17, 2016 11:34 AM

Answers

  • Hi,

    >>1. What are the best practices?

    Best Practices

    What can be done prior to making this change to ensure that you have as few issues as possible? Actually, there are some best practices here that you can follow:

      1. Verify that all DCs in the domain are, at a minimum, at the OS version to which you will raise the functional level. Yes… I know this sounds obvious, but you’d be surprised. What about that DC that you decommissioned but for which you failed to perform metadata cleanup? Yes, this does happen.
    Another good one that is not so obvious is the Lost and Found container in the Configuration container. Is there an NTDS Settings object in there for some downlevel DC? If so, that will block raising the Domain Functional Level, so you’d better clean that up.

    2. Verify that Active Directory is replicating properly to all DCs. The Domain and Forest Functional Levels are essentially just attributes in Active Directory. The Domain Functional Level for all domains must be properly replicated before you’ll be able to raise the Forest Functional level. This practice also addresses the question of how long one should wait to raise the Forest Functional Level after you’ve raised the Domain Functional Level for all the domains in the forest. Well…what is your end-to-end replication latency? How long does it take a change to replicate to all the DCs in the forest? Well, there’s your answer.

    >>2. Is it good to keep the trust until both the forests are upgraded to Windows 2012 R2?

    Yes,you can.

     Domain or Forest Functional Levels are flags that tell Active Directory and other Windows components that all DCs in the domain or forest are at a certain minimal level. When that occurs, new features that require a minimum OS on all DCs are enabled and can be leveraged by the Administrator. Older functionality is still supported so any applications or services that used those functions will continue to work as before — queries will be answered, domain or forest trusts will still be valid, and all should remain right with the world.

    Please follow this link for more information:

    What is the Impact of Upgrading the Domain or Forest Functional Level?

    https://blogs.technet.microsoft.com/askds/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level/

    ________________________________________
    Best Regards,
    Cartman
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact
    tnmff@microsoft.com.

    Thursday, August 18, 2016 5:44 AM
  • Hi,

    Direct upgrade from windows 2003 to windows 2012 R2 is not supported. I would advise you to build new server with Windows 2012 R2, promote it as AD, wait for replication to complete, then move AD roles to new server. Later, demote Windows 2003 and raise FFL and DFL on Windows 2012 R2.

    https://technet.microsoft.com/en-us/library/dn303416(v=ws.11).aspx

    -Umesh.S.K

    Thursday, August 18, 2016 10:51 AM

All replies

  • Hi,

    >>1. What are the best practices?

    Best Practices

    What can be done prior to making this change to ensure that you have as few issues as possible? Actually, there are some best practices here that you can follow:

      1. Verify that all DCs in the domain are, at a minimum, at the OS version to which you will raise the functional level. Yes… I know this sounds obvious, but you’d be surprised. What about that DC that you decommissioned but for which you failed to perform metadata cleanup? Yes, this does happen.
    Another good one that is not so obvious is the Lost and Found container in the Configuration container. Is there an NTDS Settings object in there for some downlevel DC? If so, that will block raising the Domain Functional Level, so you’d better clean that up.

    2. Verify that Active Directory is replicating properly to all DCs. The Domain and Forest Functional Levels are essentially just attributes in Active Directory. The Domain Functional Level for all domains must be properly replicated before you’ll be able to raise the Forest Functional level. This practice also addresses the question of how long one should wait to raise the Forest Functional Level after you’ve raised the Domain Functional Level for all the domains in the forest. Well…what is your end-to-end replication latency? How long does it take a change to replicate to all the DCs in the forest? Well, there’s your answer.

    >>2. Is it good to keep the trust until both the forests are upgraded to Windows 2012 R2?

    Yes,you can.

     Domain or Forest Functional Levels are flags that tell Active Directory and other Windows components that all DCs in the domain or forest are at a certain minimal level. When that occurs, new features that require a minimum OS on all DCs are enabled and can be leveraged by the Administrator. Older functionality is still supported so any applications or services that used those functions will continue to work as before — queries will be answered, domain or forest trusts will still be valid, and all should remain right with the world.

    Please follow this link for more information:

    What is the Impact of Upgrading the Domain or Forest Functional Level?

    https://blogs.technet.microsoft.com/askds/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level/

    ________________________________________
    Best Regards,
    Cartman
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact
    tnmff@microsoft.com.

    Thursday, August 18, 2016 5:44 AM
  • Hi Cartman,

    Thank you very much for your inputs. We have one more question:

    >> Do we have a direct way to upgrade from Windows 2003 to Windows 2012 R2 or first Windows 2008 upgrade and then Windows 2012 upgrade??

    Please advise.



    • Edited by SBHV Thursday, August 18, 2016 10:21 AM
    Thursday, August 18, 2016 10:21 AM
  • Hi,

    Direct upgrade from windows 2003 to windows 2012 R2 is not supported. I would advise you to build new server with Windows 2012 R2, promote it as AD, wait for replication to complete, then move AD roles to new server. Later, demote Windows 2003 and raise FFL and DFL on Windows 2012 R2.

    https://technet.microsoft.com/en-us/library/dn303416(v=ws.11).aspx

    -Umesh.S.K

    Thursday, August 18, 2016 10:51 AM
  • Hi,

    I am checking to see if the problem has been resolved. If there's anything you'd like to know, don't hesitate to ask.

    ________________________________________
    Best Regards,
    Cartman
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact
    tnmff@microsoft.com.

    Tuesday, August 23, 2016 8:09 AM