none
Raise domain functional level from 2003 to 2008 or 2008 R2?

    Question

  • I have decommissioned our older 2003 domain controllers, and now have 1 domain controller running Server 2008 and another running Server 2008 R2.  Everything in the best practices analyzer and the health-check scripts I can find look good, so I think I'm ready to raise the domain level.  However, since I have 1 DC on 2008 and 1 on 2008 R2 can I raise it to 2008 R2?  The reason I have mixed-match DC OS's is because my DC's also server as print servers.  I still have 32-bit OS's in my domain and I cannot get all of my printer drivers to work with the 64-bit R2 OS.

    Wednesday, March 06, 2013 2:11 PM

Answers

All replies

  • 2008 DC will be able to be raised to max functional level 2008. Therefore, I think you can go upto 2008 functional level only for the forest / domain.

    Wednesday, March 06, 2013 2:20 PM
  • So in a nutshell, to get around the mismatched OS issue and go to the 2008 r2 functional level I should setup a separate print server to serve my 32-bit hosts.
    • Edited by mattatrdp Wednesday, March 06, 2013 2:24 PM
    Wednesday, March 06, 2013 2:23 PM
  • So in a nutshell, to get around the mismatched OS issue and go to the 2008 r2 functional level I should setup a separate print server to serve my 32-bit hosts.

    Correct

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Wednesday, March 06, 2013 3:03 PM
  • Is it a bad idea to raise to 2008 now, and when I have time to setup a new server and reinstall the OS on my 2008 to R2, raise the functional level from 2008 to R2?  Or should I just do it all at once 2003 - 2008 R2 ?
    Wednesday, March 06, 2013 4:32 PM
  • Is it a bad idea to raise to 2008 now, and when I have time to setup a new server and reinstall the OS on my 2008 to R2, raise the functional level from 2008 to R2?  Or should I just do it all at once 2003 - 2008 R2 ?

    It's not a bad idea to to it in a staged manner - as there is some things that need attention:

    Windows Server 2008:

    Change the DFL to Windows Server 2008 and later will cause the password for the krbtgt account to be changed in other to support AES256 bit encryption: (This can sometime cause kerberos auth fail for a while)

    Windows Server 2008 R2:

    Changes in Kerberos Authentication - Once you're on only Windows Server 2008 R2 DCs or above DES-Only Enryption isn't supported anymore.
    http://technet.microsoft.com/en-us/library/dd560670(v=ws.10).aspx

    The Computer Browser Service is disabled by default at Windows Server 2008 R2 DCs that causes some apps to fail, especially if they use the NetServerEnum with the flag SV_TYPE_DOMAIN_CTRL = 0x00000008 to find the PDC/a DC

    A few things you should know about raising the DFL (and/or) FFL to Windows Server 2008 R2 :
    http://blogs.technet.com/b/askpfeplat/archive/2012/04/09/a-few-things-you-should-know-about-raising-the-dfl-and-or-ffl-to-windows-server-2008-r2.aspx


    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Wednesday, March 06, 2013 5:33 PM
  • I second Christoffer. Its not a bad idea at all to currently go for 2008 functional level. I would suggest you go through the information provided here http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(WS.10).aspx . If you think there is not much business justification for you to immediately go for a OS upgrade of your 2008 DC and your needs are fulfilled with the 2008 domain/forest functional level then you I would suggest you go to the 2008 functional level as of now.

    Thursday, March 07, 2013 3:51 AM