DFS? Raising Forest level to 2008
I have recently upgraded my domain controllers to Server 2008R2. We currently have one 2008 R2 DFS server that was setup on the 2003 domain. Do I need to do anything to the DFS server before I raise the function level of the from 2003 to 2008?
Thank you,
Cecil
Hi Cecil,
Based on my understanding, we don’t need to do much about the DFS server before upgrading.
I guess that our target focuses on whether we can utilize the complete DFS feature after we upgrade our domain or forest function level to Windows Server 2008.
In fact, after we upgrade our domain or forest function level to Windows Server 2008, we need to manually enable DFS-Replication and DFS-Namespace.
Regarding DFS feature, the following thread can be referred to as reference.
Windows Server 2008 R2 DFS features
http://social.technet.microsoft.com/Forums/windowsserver/en-US/30c7c282-3504-429f-83e6-b8b88f3d20a2/windows-server-2008-r2-dfs-features?forum=winserverDS
In addition, regarding DFS, the following article can also be referred to for more information.
DFS Step-by-Step Guide for Windows Server 2008
http://technet.microsoft.com/en-us/library/cc732863(v=ws.10).aspx
Best regards,
Frank Shen
Similar Messages
-
Lync 2013 and Raising Forest/Domain Functional Level?
My current forest and domain functional levels are 2008 R2. I know I can safely upgrade the functional levels in most cases, but I want to specifically know with regards to Lync.
Our entire environment, including Lync, is running on Windows Server 2012 R2. (We have no domain joined clients.) We are running Lync 2013 Standard with all the latest updates.
Can I safely raise the forest and domain functional levels to 2012 R2 without impacting Lync?Hi,
Yes, you can raise Forest and domain function level to Windows Server 2012 R2 without issue.
After raising Forest\domain function level, the new features that rely on the functional level are generally limited to AD itself. Regardless, changing the Domain or Forest Functional Level should have no impact on an application that depends on
Active Directory.
More details:
http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support -
Credentials needed to raise domain and forest level from 2003 to 2012 R2.
I migrated our environment from a single DC server 2003 to a single DC server 2012 R2. I followed the migration process that is documented by Microsoft and others.
However, I forgot to assign my account Enterprise Admin and Schema Admin before raising the domain and forest levels from 2003 to 2012 R2. My account did have domain admin. The GUI interface did not complain when I raised the level of the domain
and then the forest.
So I am thinking everything is OK.
My question is am I going to have problems down the road with the AD environment?
Thanks for any help or opinions.Using snapshot for a domain controller is not recommended, as usn rollback can occur. Allthough in server 2012 using snapshot for dc's has been improved and made 'safer', but I wouldnt use it as a backup solution.
But back to your problem, Beaulieu, is it a single domain/single forest design? And the issue is that you have no membership in schema- and enterprise admins, but you do have an domain admin?
Best Regards,
Jesper Vindum, Denmark
Systems Administrator
Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem. -
Prepare 2003 Forest/Domain for 2008 R2 or 2012 Domain Controllers
Hi,
I would be grateful if you could help me with this:
We have a single Forest/Single Domain structure which is managed by 4 Windows Server 2003 Std Edition. We are now trying to add a Server 2008 R2 as a domain controller. I have followed lots of articles on MS and other website with regards to preparing the
Forest and domain before promoting the new server and here is what I got so far:
Schema master - Windows 2003 SE
FFL/DFL both set to 2003
Run Adprep32.exe (found it on 2008 R2 disc) /forestprep and the outcome was:
lDAPDisplayName "uidNumber" defined for object "CN=VintelauidNumber,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the lDAPDisplayName value uidNumber and resolve this inconsistency. Then run adprep again.
==============================================================================
OID "1.3.6.1.1.1.1.0" defined for object CN=Vintela-uidNumber,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.0" and resolve this inconsistency. Then run adprep again.
==============================================================================
lDAPDisplayName "gidNumber" defined for object "CN=Vintela-gidNumber,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the lDAPDisplayName value gidNumber and resolve this inconsistency. Then run adprep again.
==============================================================================
OID "1.3.6.1.1.1.1.1" defined for object CN=Vintela-gidNumber,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.1" and resolve this inconsistency. Then run adprep again.
==============================================================================
lDAPDisplayName "gecos" defined for object "CN=Vintela-gecos,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the lDAPDisplayName value gecos and resolve this inconsistency. Then run adprep again.
==============================================================================
OID "1.3.6.1.1.1.1.2" defined for object CN=Vintela-gecos,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.2" and resolve this inconsistency. Then run adprep again.
==============================================================================
lDAPDisplayName "unixHomeDirectory" defined for object "CN=Vintela-homeDirectory,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the lDAPDisplayName value unixHomeDirectory and resolve this inconsistency. Then run adprep again.
==============================================================================
OID "1.3.6.1.1.1.1.3" defined for object CN=Vintela-homeDirectory,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.3" and resolve this inconsistency. Then run adprep again.
==============================================================================
lDAPDisplayName "loginShell" defined for object "CN=VintelaloginShell,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the lDAPDisplayName value loginShell and resolve this inconsistency. Then run adprep again.
==============================================================================
OID "1.3.6.1.1.1.1.4" defined for object CN=Vintela-loginShell,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.4" and resolve this inconsistency. Then run adprep again.
On the Schema master, run AD Schema, MMC and deactivated the object for Vintela. run the adprep32 /forestprep again and still the same result.
Would you please advise what else can/must be done? anyone knows anything on Vintela (Quest VAS) and how to get rid of it?
thanks for your help in advance.Hi,
Thanks for your post.
In this case, the most cause may be the OIDS are in conflict with the 2008 /forestprep. Could you please let me know if the forest functional level is 2003? If not, please raise it to 2003.
For the information about how to raise functional level, please refer to the articles as below:
What Are Active Directory Functional Levels?
http://technet.microsoft.com/en-us/library/cc787290(WS.10).aspx
Raise the Domain Functional Level
http://technet.microsoft.com/en-us/library/cc753104.aspx
Raise the Forest Functional Level
http://technet.microsoft.com/en-us/library/cc730985.aspx
What is the Impact of Upgrading the Domain or Forest Functional Level?
http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx
Besides, for the best practice, we can back up all domain controllers’ system state for the unexpected issues. Here is one article related to backup Active Directory.
Backing up Active Directory
http://technet.microsoft.com/en-us/library/cc961924.aspx
I hope this information is helpful for you. If there is anything that requires further clarification, please don’t hesitate to let me know.
Best regards,
Ann
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
Is there anything that needs to be done or considered when migrating from 2003 domain/forest level to 2008R2 with all DC's at 2008R2 with 2 other 2003 separate Domain incoming
and outgoing Trusts, one Trust that is a Forest Trust and the other is an External Trust? Is there any chance or risks that doing this upgrade will break either one of these Trust relationships? Some of the user accounts with SID history have been migrated
from both Domain Trusts to our domain. Any chance that this upgrade will break these relationships for users that are using SID history for access to folders and files in their old Domains? If so what can be done to protect these trusts and SID history, prior
to moving the Domain to 2008R2Hi,
Based on my knowledge,
the Upgrade of the function level do not affect the trust relationship.
Besides, before you upgrade the Functional Level,
verify that all DCs in the domain are, at a minimum, at the OS version to which you will raise the functional level.
Once the Functional Level has been upgraded, new DCs on running on downlevel versions of Windows Server cannot be added to the domain or forest.
For more information about function level, we can refer to following links:
Understanding Active Directory Domain Services (AD DS) Functional Levels
http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx
What is the Impact of Upgrading the Domain or Forest Functional Level?
http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx
Best Regards,
Erin -
In Final Cut Pro x, Somehow my video got muted and I can't find a way to UNMUTE it!
(it won't let me manually lift up or down the waveform - nor go in and raise the level of loudness)
Any suggestions? (How to unmute)Do you know how to use the volume adjustment line?
If so, is it not working?
Can you post a screenshot of your audio? -
How to check DFS replication status in windows 2008 r2 file server
Hi,
I have created File server DFS namespace between 2 windows 2008 R2 server. namespace mode is 2008. I have copied 3 TB data on file server 1. now it is getting replicated from file server 1 to file server 2. till now the data is not fully replicated.
My question is how can I check the status of DFS replication? how will I come to know that the initial replication is completed.Scorpio. Yes you are right. Microsoft officially says it will not work. My apologies. Thanks for the correction.
Do Ultrasound and Sonar work with DFS Replication?
No. DFS Replication has its own set of monitoring and diagnostics tools. Ultrasound and Sonar are only capable of monitoring FRS.
Is there a way to know the state of replication?
Yes. There are a number of ways to monitor replication:
DFS Replication has a management pack for System Center Operations Manager 2007 that provides proactive monitoring.
DFS Replication has an in-box diagnostic report for the replication backlog, replication efficiency, and the number of files and folders in a given replication group.
Dfsrdiag.exe is a command-line tool that can generate a backlog count or trigger a propagation test. Both show the state of replication. Propagation shows you if files are being replicated to all nodes. Backlog shows you how many files still need to replicate
before two computers are in sync. The backlog count is the number of updates that a replication group member has not processed. On computers running Windows Server 2008 R2, Dfsrdiag.exe can also display the updates that DFS Replication is currently
replicating.
Scripts can use WMI to collect backlog information—manually or through MOM.
Miguel Fra /
Falcon IT Services
Computer & Network Support, Miami, FL
Visit our Knowledgebase and Support Sharepoint Site -
Forest Level Trust to limited number of DC's
I need to establish a 1-way forest level trust between 2 forests across firewalls. The source forest has a single domain with 13 domain controllers. Is it possible to limit the trust communication to only 2 domain controllers in the source
domain or do I need to open up the required ports from the target domain controllers to all the DC's in the source forest?Hi,
Based on my understanding of forest trust, if you create a one-way, forest trust between forest A (the trusted forest) and forest B (the trusting forest), members of forest A can access resources located in forest B, but members of forest B cannot access resources
located in forest A using the same trust. There is no limitation for the number of DCs.
In addition,for the ports used by trusts, you can refer to the link below:
How Domain and Forest Trusts Work
Best regards,
Susie -
Dirsync - does it have to be done at forest level?
Hi,
Scenario:
Single Forest
3 Domains (DomainA, DomainB, DomainC)
Each domain has a separate Azure Tenant, the key is not to have user "bleed" between tenants thus only users in DomainA are in AzureTenantA, users in DomanB in AzureTenantB etc. As I understand it the only way to achieve this
is to install a DirSync server per domain but at Forest level and then apply filters to stop the sync'ing of the all the users within the entire Forest into the Azure tenants.
Which brings me to the question in the title of this thread, does DirSync have to be done at the forest level?
Cheers
RobThanks for the reply Vivian.
With a bit of testing I've got this working now.
I built a test Active Directory on-premise with a single root domain forest with two tree domains like so:
The plan is to only sync the users from DomainA into AAD.
I've installed DirSync onto the DC in DomainA and configured a service account within this domain. This service account needs adding to the Enterprise Admins group in the root forest domain. I also had to add the account to the domain admins group
within DomainA as well.
On configuring DirSync I hit a "constraint violation" error, this was resolved by giving delegated access with "Replication permissions" to the service account created by DirSync (usually MSOL_xxxx) to DomainA. This allowed
the configuration of DirSync to run.
If I now run a full sync the AAD is populated with users from DomainA, DomainB and Forest. This isn't what I wanted.....so off to DirSync FIM Synchronization service.
In here I opened the "Active Directory Connector" within the Management Agents. Select "Configure Connector Filter" -> "User" and add two new filters based on "UserPrincipalName" with an "Contains"
operator for the two domain I don't need (DomainB and Forest).
Forced a Sync and hey presto I have only DomainA users in AAD.
Hopefully this information will be helpful to others. -
Windows 2012 root certification authority in a 2003 Domain/ Forest level
Hello,
We are currently on Windows 2003 Domain & Forest Functional Level. Our Root CA is also currently on Windows 2003 DC.
If we have to setup a new Root/Issuing CA ( not exporting the current 2003 CA cert) on Windows 2012 R2 servers, is it then mandatory to first upgrade Domain & Forest levels to 2012 R2 ? Can we have a PKI infrastructure with
Enterprise CA's on a Windows 2012 Platform but the Domain/Forest levels still on 2003 level ? i understand it will be good to have everything on 2012 R2 , but can a mix of 2003 domain level and 2012 CA work ?Hi,
Look at below tread it might help:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/fa8cac92-0f71-426c-ac95-e89e90e1c8d1/certificate-authority-and-forestdomain-functional-level?forum=winserversecurity
Basically the answer is yes you can have CA on 2012 R2 and DFL/FFL still on 2003.
Regards,
Calin -
Domain functional level 2003 -- 2008 and TMG 2010 (sp2 rollup 2)
Hi,
We want to raise our domain and forest functional level from 2003 to 2008. All DC's have been on 2008 or 2008R2 for about two years.
I cannot find if there is any impact on TMG 2010 sp2 rollup 2. Does anyone know if this will bring any issues?
Thanks!No impact. From a TMG perspective, go ahead.
Hth, Anders Janson Enfo Zipper -
I have four sites each with a windows 2012 R2 domain controller, one of which has all the FSMO roles and replication is successful. Currently the Domain and Forest Functional levels are all Windows server 2008 R2 and would like to raise them each respectively
too Windows server 2012 R2.
Here are my questions:
Can I do this on the fly and what are the do's and dont's? There is no other domain controllers less that windows server 2012 r2.
Thank you!Yes, you can do it on the fly. As long as you don't have any pre-2012 R2 DCs, then you are good to go.
The changes introduce new functionality that more than likely *may* affect your current apps, such as 2012 R2 will no longer authenticate using NTLM authentication. But I'm sure you've already done your research on that and are ready to go. :-)
If not, I would inventory your apps, contact the vendors to understand if they will still work, etc, just to make sure. Here are the changes introduced with the different levels:
Understanding Active Directory Domain Services (AD DS) Functional Levels
http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
DFS-R Top level NTFS Permissions
Hi,
As part of my setup, I'm trying to implement a new DFS-R share between 2x Windows 2003 R2 and 1x 2008 R2 servers
I've been experimenting with the DFS-R, and I've found that if I try to change the NTFS partitions of the top-most folder, then these permissions are not replicated to the other duplicates on the other servers. Sub-file and sub-folder Perms are.
I've also found that if I do modify the top-level folder, than that server stops replicating to the others - with no errors in the event logs ! Disaster !! In my testing, all I did was add another users read access, and then that stops replication!!
So - if I need to control the top-level perms, do they all have to be in sync and setup manually ?Hi Shaon,
Sorry I had to actually setup the server on the remote site. So no - I'm still seeing issues.
I ran that DFSutil on serv14. I don't know why it doesn't show the ClientApps DFS replication.
2 entries...
Entry: \Ubiq-serv1\Users
ShortEntry: \Ubiq-serv1\Users
Expires in 24 seconds
UseCount: 1 Type:0x81 ( REFERRAL_SVC DFS )
0:[\UBIQ-SERV1\Users] AccessStatus: 0 ( ACTIVE TARGETSET )
Entry: \ubiquisys.local\sysvol
ShortEntry: \ubiquisys.local\sysvol
Expires in 562 seconds
UseCount: 0 Type:0x1 ( DFS )
0:[\UBIQ-SERV14.ubiquisys.local\sysvol] AccessStatus: 0 ( ACTIVE TARGETSET )
1:[\UBIQ-SERV1.ubiquisys.local\sysvol] ( TARGETSET )
2:[\ubiq-serv9.ubiquisys.local\sysvol]
3:[\ubiq-serv8.ubiquisys.local\sysvol]
4:[\UBIQ-SERV10.ubiquisys.local\sysvol] ( TARGETSET )
DfsUtil command completed successfully.
I'm also seeing folders/files not replicate between 14 and 9. Some do, some dont. Seems to be zero byte files causing most of the issues. -
Raising Functional level - From 2003 to 2008R2
Recently I have completed the AD upgrade from 2003 to 2012. Now all sites have 2012 DCs only. Next i plans to raise the functional level of both Forest and Domain from 2003 t0 2008R2.
I want to know the things to take care before doing this upgrade.hi,
if you are only using 2012 DC's that you may want to go straight to 2012 functional level. The functional level change is generally classed as low impact and simply tells AD it can use all it's additional features.
There is no real roll back if any issues are caused during or after the change, so you need to ensure you have full backups and are aware of the forest recovery process. Make sure you have spoken to all your software vendors whose software integrates with
AD before doing the change to ensure that it won't affect the running of this software.
There is a very good article here from the MS Directory team on the process and the impact.
http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx
Regards,
Denis Cooper
MCITP EA - MCT
Help keep the forums tidy, if this has helped please mark it as an answer
My Blog
LinkedIn: -
Cannot Raise Functional Level in 2003 server
Replacing 2003 server to 2008 R2 and inorder to migrate ADDS tried to raise the domain functional level to "Windows 2003" but the raise button has been disable for to click on it.
After executing this command i found: :
\netdom query fsmo
Schema Owner DC1.domain2.net
Domain Role Owner DC1.domain2.net
PDC Role DC1.domain2.net
RID Pool Manager DC1.domain2.net
Infrastructure Owner Dc1.domain2.net
:\\repadmin \options
Current DC options: (none)
Maybe you are looking for
-
Not able to open a Word created doc in Pages
just installed iWork 09. I tried a test and generated a document in Pages saving a copy as a Word document. Sent it to our PC laptop with Office. It opened just fine. I did performed the opposite test of creating a new document in Word, sent it to ou
-
Tecra S2: check docking and automate Fn+F5
Hi, I have a**Tecra S2 PM 730 1600 512MB 40GB DVD-CDRW 15,0"TFT WXPP*** Nvidia Chipset GO 6600 PN PTS20E-01J00LBT* TOSHIBA PORT REPLICATOR 3** PN PA3314E-1PRP -* s/n 34032428 ******** Tecra S2: Centrino PM730/XP Pro/15.0 ******** Agreement: FE065C7F
-
OTA Update information - 98.30.1.XT907.Verizon.en.US
Anyone know what this update consisted of? A few days ago, Verizon had a page and .pdf posted, but, it was not for this release and they have since taken it down.
-
IMovie/iPhoto updates everytime!
Everytime I have a new update in AppStore, iMovie/iPhoto will update aswell, but I've already updated both!? I've to re-update them everytime! Kind of wierd! /Lumi
-
I purchased OS X Lion. It worked. I bought and installed OS X Mountain Lion. It doens't work. Its slow. And is getting slower. Takes for ever to boot up and the problems just keep coming. I have to repair permissions almost daily because Mail and Saf