Raising Functional level - From 2003 to 2008R2

Similar Messages

• Cannot Raise Functional Level in 2003 server

  Replacing 2003 server to 2008 R2 and inorder to migrate ADDS tried to raise the domain functional level to "Windows 2003" but the raise button has been disable for to click on it.

  After executing this command i found: :
  \netdom query fsmo
  Schema Owner          DC1.domain2.net
  Domain Role Owner     DC1.domain2.net
  PDC Role              DC1.domain2.net
  RID Pool Manager      DC1.domain2.net
  Infrastructure Owner  Dc1.domain2.net
  :\\repadmin \options
  Current DC options: (none)

• Credentials needed to raise domain and forest level from 2003 to 2012 R2.

  I migrated our environment from a single DC server 2003 to a single DC server 2012 R2.  I followed the migration process that is documented by Microsoft and others.
  However, I forgot to assign my account Enterprise Admin and Schema Admin before raising the domain and forest levels from 2003 to 2012 R2.  My account did have domain admin.  The GUI interface did not complain when I raised the level of the domain
  and then the forest.
  So I am thinking everything is OK.
  My question is am I going to have problems down the road with the AD environment?
  Thanks for any help or opinions.

  Using snapshot for a domain controller is not recommended, as usn rollback can occur. Allthough in server 2012 using snapshot for dc's has been improved and made 'safer', but I wouldnt use it as a backup solution.
  But back to your problem, Beaulieu, is it a single domain/single forest design? And the issue is that you have no membership in schema- and enterprise admins, but you do have an domain admin?
  Best Regards,
  Jesper Vindum, Denmark
  Systems Administrator
  Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

• Migrating enterprise root CA from 2003 to 2008R2 - specific situation

  So i have following setup:
  Windows 2003R2 SP2 - owning all FSMO roles, root CA
  Windows 2003R2 SP2 - DC
  I want to upgrade domain to Windows 2008 R2 and migrate root CA. Since for CA migration it is essential that i preserve the same name what would be high level order of actions?
  1) move FSMO roles to 2nd win2k3 DC
  2) backup CA 
  3) depromo and remove server from domain
  4) join win2k8r2 to the domain under same name
  5) restore CA on it
  6) prepare forest/domain
  7) DC promo
  8) transfer FSMO roles
  9) depromo and remove old servers
  OR
  1) move FSMO roles to 2nd win2k3 DC
  2) join win2k8r2 to the domain 
  3) backup root CA
  4) prepare forest/domain
  5) depromo and remove ex win2k3 server from domain
  6) rename win2k8 so it matches removed server
  7) restore CA on it
  8) DC promo
  9) transfer FSMO roles
  10) depromo and remove old servers
  Biggest question is should I DC promo 1st and then restore CA or other way around?

  I migrated but i have few small issues:
  1) after i restored backup i can't see issued certificates
  2) In certmgr.mcs when i do Automatically enroll and retrieve certificates no templates are available but when i go to personal container and request certificate i see templates and i my cert requests finishes fine. Also i tried auto enrol over IIS work
  and over web form also works.
  There is 1 more confusing step from this guide http://technet.microsoft.com/pt-pt/library/ee126140(v=ws.10).aspx#BKMK_RestoreReg
  If the target CA's computer name is different from the source CA's computer name, search the file for the host name of the source CA computer. For each instance of the host name found, ensure that it is the appropriate value for the target environment. Change
  the host name, if necessary. Update the CAServerName value.
  Importante
  If the host name is located in the .reg file as part of the CA name, such as in the Active value within the Configuration key or the CommonName value within the CAName key,
  do not change the setting. The CA name must not be changed as part of the migration. This means the new target CA must have the old CA's name, even if part of that name is the old CA's host name.
  So do i change it since my new CA has new name or not? I did change is but not sure what is the effect since i did not change Common name and Active value which contains old CA name.
  Comments?

• Migration from 2003 to 2008R2 - Questions from a first-timer

  How is everybody doing. 
  I'm managing for the very first time a WSUS server.
  Right now there's a WS2003x64 SP2 STD handling this role. The issue is that this server has gotten out of control: MMC crashes all the time due to different causes. For example: when I try to delete more or less 20 PCs it crashes, when I try to run the cleanup
  utility it also happens, when this occurs all the actions that were started don't happen and WSUS stays the same.
  This made me recommend the option of starting a new server (I've said to use a 2008R2 which I believe will have SP1 installed, don't know if it makes a difference here). Here's my thinking, I'd like to get any recommendation regarding these steps:
  1- Install OS and role (with IIS, WID and Report Viewer 2008): do the role automatically install all neccesary tools for report creation and PCs reporting to the WSUS? After that update WSUS to SP2.
  The server will use a different IP than the actual.
  2- Create all the neccesary Computer Groups: will use a couple of groups for testing and then split all servers and user computers in
  Critical (for servers), Download & Choose Install
  (for servers), Automatic Install (for servers) and Workstations
  (automatic install), Critical Workstations (DL & choose) and use client-side targeting to fill them.
  3- Apply GPOs on the OUs hosting each type of computers: here I have a question; can I have the same computer apply to two different WSUS? On my mind the computer status should be the same on both so it shouldn't be a problem.
  4- Choose the products and type of updates to syncronize.
  5- Start synchronization with Windows Update to retrieve available updates.
  And that should be it. Will this work? I guess I'm missing info here regarding implementation, let me know and I'll tell you what my plan is.
  Thanks.

  When I start synchronizing the server: which updates for approval will show? All the available ones on Windows Update catalog or only the ones that are missing on the computers/servers on our environment?
  The Windows Update Agent will flag any update that is Not Installed and could be installed as "Needed". That does not, however, mean that the update should be installed, or that it would be installed even if you approved it.
  Rule #1: Do not approve updates that are superseded. That will solve 90% of the issues right off the top.
  Rule #2: Do not approve updates that are not listed as "Needed". (You can approve them later if you want them available for future systems.)
  Rule #3: Consider approving updates in small to medium quantity batches. I suggest focusing on only Security Updates to start with. As the WSUS server downloads the updates, the clients will start to see these updates as available for installation. If you
  approve a large number of updates, the download may take several days. Invariably this results in a client installing small batches of updates over several days, which has a unique tendency to totally annoy the person trying to use the computer to do real
  work.
  Regarding WSUS functionality: When I approve an update and it installs automatically due to GPO setting the 4th option. Now I have to uninstall it because it crashes an application being used in the company.
  This can be a real problem -- which is why the most important part of patch management is TEST TEST TEST. Identify a PILOT group of highly-trusted and aware users for doing your initial deployment. If they don't encounter any issues in 48-72 hours, then
  it's appropriate to unleash the updates on the rest of the organization.
  When Automatic Updates searches again for new patches, will WSUS push and install the same update again?
  Well, that depends. If you identify an update that is defective, the very first thing you should do is decline the update. This will prevent most future installations of the update. Clients that have already downloaded the update will still try to install
  it until they discover it has been declined. If the update is declined, and you then uninstall the update, the client will not attempt to install the update again because it does not have an approval. If you don't remove the approval and remove the update,
  the client will most definitely attempt to (re)install that update at the next opportunity.
  When does it stop pushing updates? Can I configure that?
  When you remove the approval for installation via the WSUS console.
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• Domain functional level 2003 -- 2008 and TMG 2010 (sp2 rollup 2)

  Hi,
  We want to raise our domain and forest functional level from 2003 to 2008. All DC's have been on 2008 or 2008R2 for about two years.
  I cannot find if there is any impact on TMG 2010 sp2 rollup 2. Does anyone know if this will bring any issues?
  Thanks!

  No impact. From a TMG perspective, go ahead.
  Hth, Anders Janson Enfo Zipper

• Existing 2003 forest functional level -- 2012 forest functional level in production environment?

  Hello experts!  
  A quick question if it can be one:
  Is it possible to raise a forest functional level from 2003 to 2012 in a production environment (only 2003 DCs with existing roles to only 2012 DCs)?  If so, is there a standard implementation of the upgrade process
  (migration of roles, migration tools, etc.)?
  many thanks!
  David

  hi,
  Thanks for posting. 
  Sorry i don't know if i am understanding your question. Are you talking about upgrading your DC's in your current forest to 2012 then raising the functional level? 
  If so, first of all you can only raise the forest and domain functional levels when all DC's in the forest and domain are at 2012 or higher. 
  To get your domain unto 2012 DC's there are a couple of paths you can adopt, but generally the simplest is:
  1. Introduce your first 2012 / 2012 R2 DC into your existing domain, this will extend the schema with the additional attributes that are required to 2012 - this is an automatic process during promotion of your first 2012 DC.
  2. Go through and start replacing your existing domain controllers. You don't normally do an inlace upgrade, the preferred method would be to use different hardware, built up the new DC to replace your existing one, then demote the existing one - keep going
  through this process until all your DC's are 2012.
  NB: which ever DC(s) currently holds the FSMO roles you will need to transfer these to one of your new 2012 DC's before you decommission that one. 
  if i've got what you were asking wrong, please let me know, otherwise hopefully this helps.
  Regards,
  Denis Cooper
  MCITP EA - MCT
  Help keep the forums tidy, if this has helped please mark it as an answer
  Blog: http://www.windows-support.co.uk 
  Twitter:   LinkedIn:

• The specified forest functional level is invalid. "Lync Server" requires forests running in Windows 2003 mode or higher.

  Dear Support Team,
  i am having the error ''The specified forest functional level is invalid. "Lync Server" requires forests running in Windows 2003 mode or higher'' from lync 2013 during the schema master prepare on windows server 2008r2 and my forest functional
  level are 2008r2.. so can you help me please...?

  Dear Support Team,
  in my network there are one forest and two domain controller (primary and secondary).. my domain functional
  level is windows server 2008r2.. but i am still receiving error.. when i hit the run button for schema prepare its says:
  ServerSchemaPrepareTask execution failed on an unrecoverable error.
  and when i open log it sasys: 
  Error: The specified forest functional level is invalid. "Lync Server" requires forests running in Windows 2003 mode or higher.
  kindly help me

• Raising Domain Functional level

  We have 75 domain Controllers in our Org and current Domain Functional level is 2003. We have a mix setup where all versions of OS are available starting from 2003. A large no of applications are also integrated with our current Active Directory.
  My concern is, If I raise my Domain Functional level to 2008 then what are the consequences we might face in terms of accessing legacy applications.
  Please let me know the checklist which we need to follow and incase of any failure then what will be the rollback procedure.
  Looking forward for your valuable inputs. 

  Hi, 
  I agree with others. Once the Functional Level has been upgraded, new
  servers running on lower versions cannot be added
  as Domain Controllers to the domain or forest. If all the DCs in the domain is server 2008 and later version, we can raise the function level of the domain to get more advanced features.
  > If I raise my Domain Functional level to 2008 then what are the consequences we might face in terms of accessing legacy applications.
  For this question, make sure that the applications in the domain are compatible with the new functional level
  For detailed information about how to raise function level, we can refer to the following link:
  Raising the Functional Levels
  http://technet.microsoft.com/en-us/library/cc771949(v=WS.10).aspx
  Best Regards,
  Erin

• Logon failure after upgrade Windows 2003 domain functional level and schema

  Before upgrade:
  Windows 2003 Std server: Domain functional level 2000, Schema verion 30
  Crystal Report XI R2: Authentication: Windows AD
  Logon OK.
  After Upgrade:
  Windows 2003 Std + Windows 2008: Domain functional level 2003, Schema verion 44
  Crystal Report XI R2: Authentication: Windows AD
  Logon Error: An error has occurred: java.lan.NullPointerException
  Is it a Tomcat problem?  OR Java runtime problem?  OR XI R2 problem?
  Anyone can help to fix it!?  Thanks!!

  OK, I try again in the testing lab and simplify the combination.  We only consider Windows 2003 ONLY.
  Before AD upgrade:
  AD/Domain Controller: Windows 2003 Std server: Domain functional level 2000, Schema verion 30
  Crystal Report XI R2: run on Windows 2003 memeber server
  Operating OS: Windows XP/Vista/7: Authentication: Windows AD
  Logon OK.
  Upgrade cmbination 1
  Step 1:
  Upgrade Domain controller: Windows 2003 to Windows 2003 R2 (Domain functional level 2000, Schema verion 31 )
  Crystal Report XI R2: run on Windows 2003 memeber server
  Operating OS: Windows XP/Vista/7: Authentication: Windows AD
  Logon OK.
  Step 2:
  Upgrade Domain Functional Level: Windows 2003 R2 (Domain functional level 2003, Schema verion 31)
  Crystal Report XI R2: run on Windows 2003 memeber server
  Operating OS: Windows XP/Vista/7: Authentication: Windows AD
  Logon Fail
  Logon Error: An error has occurred: java.lan.NullPointerException
  Upgrade combination 2
  Direct upgrade Domain Functional Level: Windows 2003 (Domain functional level 2003, Schema verion 30)
  Crystal Report XI R2: run on Windows 2003 memeber server
  Operating OS: Windows XP/Vista/7: Authentication: Windows AD
  Logon Fail
  Logon Error: An error has occurred: java.lan.NullPointerException
  In this testing, we can conclude that the Domain Functional Level upgrade from 2000 to 2003. The MI logon will fail.
  Q1. Crystal Report XI R2 cannot run on Windows 2003 server (Domain Functional Level: 2003)?
  Q2. If Crystal Report XI R2 can run on Domain Functional Leve: 2003, how to fix our problem?
  Do you have any idea to help us?  Thanks!
  Edited by: Initiator on Jul 20, 2010 6:22 AM

• SCSM 2012 with 2003 domain functional level supported?

  All,
  I am running SCCM 2007. Now I need to install Service Manager 2012SP1. Domain functional level is 2003 with 2008 DC.
  will this allow me to install SCSM 2012SP1 with full features? or will it be reduced functionality?
  will there be any schema extension when I install SCSM 2012? pleas note we already have SCCM 2007 running.
  can I upgrade SCCM 2007 to SCCM 2012?  
  it would be helpful if you could share some link about whether its possible or not.
  Thanks.
  KailashC

  Thomas,
  Thanks for your response. Can I do a direct upgrade SCCM 2007 SP3 to SCCM 2012 or do I need to plan a migration? I mean fresh install SCCM 2012 and then migrate the data over ?
  Thanks.
  KailashC

• Missing nodes in new GPO objects after adding ADMX to DC (Server 2008 Domain Functional Level 2003)

  Hello,
  we discovered an issue in GPO console.
  DCs: multiple 2008 there is one 2003DC somewhere over the rainbow (don't ask why) :)
  Domain Functional Level is 2003.
  In June I added Policydefinitions folder into Policy folder in sysvol\domain_name.
  I did this for adding ADMX.
  Today we found missing nodes when adding new GPO objects and trying to modify them.
  Under Computers\Administrative Templates there is only ADMX node. No Administrative Templates with sub nodes: Systeme, Network, Printes, Windows Components.
  When edit old GPOs There is Administrative Templates in Administrative Templates with ADMX folder. SEE Screenshot.
  My colleague insists that it happened after I made changes by adding ADMX things. Looks that he is right.
  Please any help on this issue... How to get back nodes for managing new GPOs as it was before adding ADMX.
  Is this something known? I didn't find any prerequisites before adding PolicyDefinistions folder.
  Thanks.
  "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

  Meinolf,
  1. I would like to know if it is normal behaviour that after creating a Central Store (adding PolicyDefinitions folder into Policies) Classical Administrative Templates will not appear for any new GPO (they do exist to all previously created) see
  picture
  2. I followed the links. And eventually will use the script for cleaning up duplicate adms  in all GPOs. It is great feature of ADMX. But first I would like to bring back the option of Admin Templates.
  So I downloaded latest 2012 ADMXs. Run setup on my computer. Now I have Policydefinitions folder containing new ADMXs with languages (culture) folders.
  Am I right? I have to copy all *.admx files to my Central Store Policydefinitions folder and all En admls drop to En-Us language folders. What will happen if I will add Fr-Fr? Would it be correct to have 2 languages for the same admxs. And how they will
  appear. Or it will depend on OS language were GP console will be opened?
  No conflict to expect?
  I will do this "surgery" after your answer.
  Thanks for pointing out..
  "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

• Transferring FSMO roles from 2003 DC to 2012 R2 DC - and how exchange will react.

  Hi Folks,
  I want to transfer the FSMO roles from our current 'PDC' which is server 2003 to a new Server 2012 R2 DC. Im fine with the steps i have to perform to accomplish this but as always, the wildcard is how my exchange 2007 server will react to such a change. 
  Does anyone have any insight as to whether exchange will just pick up the new 'PDC' without any issues? i am going to leave the domain functional level at 2003 until i am able to migrate to exchange 2013.
  thanks.
  Colin Stewart

  your active directory is a database, if exchange 2007 is working with the current functional level it will work after the roles are moved, the active directory database does not change when you move it to a newer domain controller, it doesn't really change
  when you raise the functional level, it changed when you run adprep for a application like exchange 2007, so if it runs now moving roles to new DC will not change that  ,raising your functional level will give you more features in AD like recycle
  bin which is nice.

• AD FS Across Differing Domain Functional Levels

  My customer needs to implement AD FS for single sign on due to a cloud based email solution they recently implemented. The problem is, their domain controllers are Server 2003 (non-R2) at a functional level of 2003 mixed mode. They should be able to raise
  to 2003 native if necessary however. Their solution is to create a new 2008 domain and implement a two-way trust, running AD FS in the new domain serving the clients in the 2003 domain.  This way should be quicker than upgrading their current domain
  which would be a rather large project due to their size and complexity. 
  Are there any gotcha's I should know about with doing it this way?  I have verified that we can create the two-way trust between domains of these functional levels, and AD FS can service clients in a trusted domain, but I am not entirely sure if AD
  FS will care that the trusted domain is 2003 non-R2.  Can anyone confirm if this will be a feasible scenario? 
  Thanks very much!!
  Wraith

  Hi
  Wraith,
  In addition, if you are not using Windows Server 2012 or above as ADFS server, you will be fine with Windows 2003 mixed mode.
  “Since ADFS does not require Active Directory functional-level modifications to operate successfully. However, if you are using Windows NT token–based applications and
  you want a token to be generated using Kerberos Service-for-User (S4U), the domain functional level must be Windows 2000 native or Windows Server 2003”, quoted form below article:
  Appendix A: Reviewing ADFS Requirements
  http://technet.microsoft.com/en-us/library/cc778681(v=WS.10).aspx
  More information for you:
  ADFS and Domain Functional Level
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/5cc0e898-eae2-46ce-8491-5ccf61380423/adfs-and-domain-functional-level?forum=winserverDS
  ADFS requirements
  http://technet.microsoft.com/en-us/library/cc727972(v=WS.10).aspx
  Best Regards,
  Amy

• Domain / Forest functional levels

  I've done some research but really need someone to tell me I've got this right in my head...
  I've got 2 domains in the forest, the forest functional level is 2003. Here's the setup:
  domain1.local
  root domain
  2 DCs running W2K8R2
  DFL - 2003
  domain2.local
  1 DC running W2012R2
  1 DC running W2K3 (soon to be retired)
  DFL - 2003
  Can I upgrade the DFL of domain1 to 2008R2?
  Can I upgrade the FFL to 2008R2 while maintaining trust?
  Do the domain and forest functional levels have to match?
  Thanks in advance for any answers!

  > Can I upgrade the DFL of domain1 to 2008R2?
  Yes.
  > Can I upgrade the FFL to 2008R2 while maintaining trust?
  Yes.
  > Do the domain and forest functional levels have to match?
  No.
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))