Things to be considered before AD - domain and forest functional level upgrade (win 2003 to 2008 R2)
Hi
Recently we introduced Windows 2008 R2 DCs and decommissioned old Windows 2003 domain controllers. Since we are not sure about the application compatibility (both MS and 3rd party) many times we postponed the plan to upgrade the DFL and FFLs. We found Jonathan's
blog (http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx),
whcih clearly says the upgrade won't affect any applications. But just to confirm this with the experts we are posting this concern once again. We have Exchange 2010 / Shrepoint / SQL / SAP etc..(also 2 X windows 2000 servers)
Please let us know from your real experiance - in production environment how a upgrade from 2003 to 2008 R2 (belive we can able to upgarde both FFL and DFLs from Win 2003 to Win 2008 R2) affects existing applications.
Thanks in advance
LMS
I might be able to help with Exchange. What service pack?
Most likely, there should be no problem. The Exchange compability matrix shows that (with SP2 and SP3) it is compatible with Windows 2008 R2 domain controllers and 2008 R2 domain and forest functional levels.
I'm *working on* an Exchange 2010 migration but if you want someone who *has* such a combination (2008 R2 DFL/FFL and Exchange 2010), you could ask in the Exchange forum.
I'm sure, though, that such a combination is actually quite common.
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.
Similar Messages
-
Hi all,
I'd like to confirm which Domain/Forest functional levels of Active Directory is supported for "Active Directory Resource Pool Synchronization" in Project Server 2013.
I guess that 2003 or later is supported, but my customer required reliable sources.
I googled and searched article at TechNet, but I couldn't find.
Could anyone inform me the article about that?
Thank you in advance.
Kaori.Hi Michael and all,
Anyway I solved this issue.
I couldn't find article that I desired, so I asked advice to my colleagues and they told that the functional level 2003 or later are supported in their experience.
In addition, I found these articles about SharePoint sync limitations.
Members of the domain local group cannot view a Microsoft Office SharePoint Server 2007 Web site
http://support.microsoft.com/kb/932378/en-us
SharePoint supportability of Read only Domain controllers
http://support.microsoft.com/kb/970612 -
Domain / Forest functional levels
I've done some research but really need someone to tell me I've got this right in my head...
I've got 2 domains in the forest, the forest functional level is 2003. Here's the setup:
domain1.local
root domain
2 DCs running W2K8R2
DFL - 2003
domain2.local
1 DC running W2012R2
1 DC running W2K3 (soon to be retired)
DFL - 2003
Can I upgrade the DFL of domain1 to 2008R2?
Can I upgrade the FFL to 2008R2 while maintaining trust?
Do the domain and forest functional levels have to match?
Thanks in advance for any answers!> Can I upgrade the DFL of domain1 to 2008R2?
Yes.
> Can I upgrade the FFL to 2008R2 while maintaining trust?
Yes.
> Do the domain and forest functional levels have to match?
No.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Looking for a Microsoft products compatibility matix and AD functional levels.
I need to upgrade the AD Forest Functional level from Windows 2003 to Windows 2008 R2. A products compatibility matrix would be a big help.
Both domain controllers are Windows 2008 R2.
Forest Functional Level - Windows 3003.
Domain Functional Level - Windows 2008 R2
We have an old SharePoint Services 2.0 server and I need to know if changing the Forest Level will break the SharePoint site.
Additionally, we have MSSQL 2005 and 2008.
Any help is greatly appreciated.
DaveHello,
for Sharepoint please see
http://social.msdn.microsoft.com/Forums/office/en-US/f8933979-f993-4325-b931-31be023df1d5/is-sharepoint-portal-server-2003-supported-with-active-directory-domain-services-2012?forum=sharepointadminlegacy and if that doesn't help please ask in the same forum.
This is more about Sharepoint then AD.
MS SQL is not related with FFL/DFL. To be sure ask the SQL server guys in
http://social.technet.microsoft.com/Forums/sqlserver/en-us/home?category=sqlserver
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter: -
Credentials needed to raise domain and forest level from 2003 to 2012 R2.
I migrated our environment from a single DC server 2003 to a single DC server 2012 R2. I followed the migration process that is documented by Microsoft and others.
However, I forgot to assign my account Enterprise Admin and Schema Admin before raising the domain and forest levels from 2003 to 2012 R2. My account did have domain admin. The GUI interface did not complain when I raised the level of the domain
and then the forest.
So I am thinking everything is OK.
My question is am I going to have problems down the road with the AD environment?
Thanks for any help or opinions.Using snapshot for a domain controller is not recommended, as usn rollback can occur. Allthough in server 2012 using snapshot for dc's has been improved and made 'safer', but I wouldnt use it as a backup solution.
But back to your problem, Beaulieu, is it a single domain/single forest design? And the issue is that you have no membership in schema- and enterprise admins, but you do have an domain admin?
Best Regards,
Jesper Vindum, Denmark
Systems Administrator
Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem. -
Re: File sync across servers different domains and forests
I don't see why that would be an issue however I have only ever used it in exchange 2013
Hey Guys
Just seeing if anyone had any idea for software to sync drives/folders between 2 servers over the internet. We 2 separate domains and forests running. 1 location uses 1 domain and then 3 locations use the second domain. However we need to be able to sync some folders between the 2 domains as staff are all technically running under the single organization name (very confusing). I wanted to use DFS but obviously cant due to the forest restraints here.
The staff all use a terminal server and have a mapped drive with directory structure and need so basically have that syncing both ways as each side will have their own structure that needs to sync back to the other site.
Sorry if that's confusing
Thanks
This topic first appeared in the Spiceworks Community -
Hi
Anyone knows whether Windows 2008 R2 domain controllers with Windows 2003 forest functional level will still be Supported after Windows 2003 support ends in July 2015 ?
ThanksWhen Windows Server 2003 support ends, you should not have a Windows Server 2003 Domain Controller running if you would like to be supported by Microsoft. This means that there will be no reason to have a DFL or FFL that is lower than Windows Server 2008.
So, if you are keeping Windows Server 2003 FFL to keep DCs running Windows Server 2003 then this is not supported.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Raising Domain Functional / Forest Functional Levels
Hi guys,
I've upgraded my AD servers to Windows 2012 and have removed all the Windows 2003 servers in my network.
However, I wish to implement fine grained password policy. However, my Forest and Domain Functional levels are still at 2003. The minimum requirement for fine grained password policy states that the domain functional level must be set to
Windows Server 2008 or higher.
How do I go about raising the Forest / Domain functional level? Which functional level should I raise first (the forest or domain)? Will there be any downtime and implications if I were to perform the raise?
Thanks guys!!Hi guys,
I've upgraded my AD servers to Windows 2012 and have removed all the Windows 2003 servers in my network.
However, I wish to implement fine grained password policy. However, my Forest and Domain Functional levels are still at 2003. The minimum requirement for fine grained password policy states that the domain functional level must be set to
Windows Server 2008 or higher.
How do I go about raising the Forest / Domain functional level? Which functional level should I raise first (the forest or domain)? Will there be any downtime and implications if I were to perform the raise?
Thanks guys!!
There will be no downtime when raising your Domain Functional Level or Forest Functional Level.
All you need to know is that by raising your DFL to Windows Server 2008 or higher, you will not be able to set it back to Windows Server 2003 without a recovery from backup (This is not a reversible operation without restore). Also, you will need to have
DCs that are running OSs with the same level as your DFL or higher.
If you are not planning to add DCs that are running OSs lower than Windows Server 2012 then simply raise your DFL and FFL to Windows Server 2012. FYI, as long as you have not enabled AD recycle Bin, you can downgrade the DFL and FFL to Windows Server 2008.
More about the benefits you can take by raising your DFL and FFL here: https://technet.microsoft.com/en-gb/library/understanding-active-directory-functional-levels(v=ws.10).aspx
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Lingering 2003 DC causing Domain Functional Level Upgrade fail
Got that one too :(
I can't find hide nor hair of this darn beast anywhereHave a DEAD 2003 DC - check
Have removed it from AD via GUI (ADUC) deletion - Check
Cleaned up DNS - Check and double check
Review LostandFound container in ADSI edit - Check - No objects present
Right click Domain Name in ADUC, select Raise Domain Functional level - F A I L
Run through NTDSUTIL Metadata cleanup steps (MS technet article) - The server object isn't there
What am I missing here? I've gone back over DNS, searched for the computer object, rechecked ADSI LostandFound, rechecked NTDSUTIL .. I'm at a hard loss to figure out what's stopped the Functional Level upgrade.
Any ideas?
This topic first appeared in the Spiceworks Community -
Domain functional level upgraded to 2008 r2 native mode but query states 2003
Nothing :(
I raised the domain functional level last night to 2008 r2 native mode and after allowing everything to sync i ran the command get-addomain .domainmode and it came back ast windows2003forest.
I dont understand why it is showing up this way, we removed all of the 2003 domain controllers and server from our network before doing this...Any suggestions?
This topic first appeared in the Spiceworks Community -
USMT between separate domains and forests
Hi!
I have a problem with migrating profiles from an old domain to a new one when doing OSD on them. Usernames is the same in both domain an SidHistory is migrated. The domains are in two separate forests and a one-way trust exists from the old domain to the
new one.
I'm running the following command on a test VM in the new domain after saving the user state from a VM in the old domain:
loadstate.exe C:\USMTShare /c /l:C:\logs\loadstate.log /progress:C:\logs\loadstateprogress.log /i:C:\USMT6.3\migdocs.xml /v:5 /i:C:\USMT6.3\migapp.xml /md:olddomain.com:newdomain.org
This gives me the following output in the loadstate.log:
2014-02-13 18:03:30, Info [0x000000] User olddomain\Mig.Test0001 maps to S-1-5-21-8915387-1198066105-xxxxxxxxxx-19198
2014-02-13 18:03:30, Info [0x000000] Adding domain account newdomain\Mig.Test0001 (S-1-5-21-8915387-1198066105-xxxxxxxxxx-19198)
2014-02-13 18:03:30, Info [0x0803b2] Adding user S-1-5-21-8915387-1198066105-xxxxxxxxxx-19198, newdomain\Mig.Test0001
2014-02-13 18:03:30, Info [0x0803b3] User S-1-5-21-8915387-1198066105-xxxxxxxxxx-19198, newdomain\Mig.Test0001 added successfully
2014-02-13 18:03:30, Status [0x000000] Activity: 'MIGACTIVITY_PROFILE_CREATE'
2014-02-13 18:03:30, Info [0x000000] Entering MigGetRealPlatform method
2014-02-13 18:03:30, Info [0x000000] Leaving MigGetRealPlatform method
2014-02-13 18:03:30, Info [0x000000] Creating profile for target user newdomain\Mig.Test0001 (source user olddomain\Mig.Test0001)
2014-02-13 18:03:30, Info [0x080000] Mig::COnlineWinNTPlatform::CreateProfileForUser: Called for user newdomain\Mig.Test0001 with ProfileSuffix: (NULL)
2014-02-13 18:03:30, Info [0x080000] Creating profile for user S-1-5-21-8915387-1198066105-xxxxxxxxxx-19198, newdomain\Mig.Test0001 ((NULL)). Using existent SID
2014-02-13 18:03:31, Info [0x080000] Adding indirect mapping for HKCU (C:\Users\Mig.Test0001\NTUSER.DAT) to 0x80000003, S-1-5-21-8915387-1198066105-xxxxxxxxxx-19198
2014-02-13 18:03:31, Info [0x0803e2] Adding indirect mapping from HKCU to <C:\Users\Mig.Test0001\NTUSER.DAT> loaded at HKEY_USERS\S-1-5-21-8915387-1198066105-xxxxxxxxxx-19198 (R/W)
So the profile is restored, the profile name looks fine in System Properties -> User Profiles (Changes from "Account Unknown" to "NEWDOMAIN\Mig.Test0001" after the loadstate.exe command.) The Problem is, when this user logs in a new
profile is created anyway and a new folder is created (c:\users\Mig.Test0001.NEWDOMAIN).
When taking a look at the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList, I can see that the sid for Mig.Test0001 from OLDDOMAIN is present and are corresponding to the migrated profile. When I'm logging in
as NEWDOMAIN\Mig.Test0001, the new sid is created here. If I replace the old SID with the new SID before logging in with NEWDOMAIN\Mig.Test0001, the migrated profile is used.
So it looks like loadstate.exe finds the corresponding account in OLDDOMAIN for the SID it finds in the StateStore, and instead of finding the corresponding user account in the NEWDOMAIN and use the SID for that, it uses the SidHistory attribute.
Is there a way to change this behavior so that the new accounts Sid is being used instead of the old ones, even if using SidHistory?Hi,
How about using "/mu" instead of "/md"?
If this cannot work, I suggest you that writing a script to replace the SID.
Best Regards,
Joyce Li
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Adding DC to an existing domain and forest
Hi, I have an existing forest and domain. Its roles are: Domain Services and DNS. We have a branch office and setup a new server. In this new server, we set this as well to be the DC of that remote site and added a third role which is DHCP for their own
network. We added another server as backup of this branch office. In the process of adding the role, I accidentally checked both domain controller and global catalog. I remember that both of this cannot be GC or is it ok for both to be GC besides DC?
Thanks
JeffHello,
there is no problem having ALL DCs to be GC also.
Don't forget to configure AD sites and services with the new subnets and also the sites containing the correct DCs.
https://technet.microsoft.com/en-us/library/cc730868.aspx?f=255&MSPPError=-2147217396
http://blogs.technet.com/b/askds/archive/2011/04/29/sites-sites-everywhere.aspx
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter: -
Config Manager 2012 setup w/ SQL DB in a different domain and Forest
Hi all I'm hoping these are easy questions. The SQL admins in my environment are pushing for me to have the DB hosted on the managed SQL servers vs on the PSS. The only potential problem is that the SQL servers currently are in a different domain/forest.
There is a two trust between forests. The managed workstations will be in the same domain as the SCCM infrastructure. There will not be any managed workstations in domain where the SQL server resides. Eventually all SQL servers will be moved to
a different domain, but it will not be the same domain as the SCCM infrastructure. My questions are below
Will I need to have another PSS in the same domain as the SQL Server? If yes then i assume I'll need a CAS as well to manage both PSS.
Since the SQL servers will eventually be moved to another domain/forest, which will have a two was trust as well, what are the potential issues that can arise from this?
ThanksTechnically what you're asking for will work. THat said: you should be willing to demonstrate to your SQL team that SCCM will be fully capable of overwriting, dismounting and otherwise destroying every database on that shared SQL server due to
the ridiculously elevated permissions required on said said SQL system.
To clarify:
SCCM will require local administrator permissions to every node in the cluster. When it connects, it will immediately install a server role on said cluster. It will also require full administrative access to the instance the database will reside
in. By the time all this fun stuff is open, anyone who knows how to open up a command prompt under the system context of your SCCM server will be able to to all sorts of fun stuff that really REALLY won't make your SQL team very happy.
I'd fight the desire tooth and nail. If they threaten to not support the SQL instance I'd be OK with that even. Microsoft won't even support you if you make any edits/changes to the SQL database directly anyway. -
I just updated to iOS 6.1.2 and now the shutter on the native camera and other camera apps won't open nor does the flash work. Sometimes it tries to open and crashes, and sometimes it just stays closed. I have restored the phone and there's no change. Anyone else experienced this?
Same happened to me today.
At night I charge my phone and set it to "Flight Mode".
I got up at 6:42am and unpluged the phone at 6:45.
I did not use my phone at all until 10:40am, but the battery sank to 22% until this time.
How can it be fixed? Why is Apple so much more expensive than other phones (wich are better by the way), but it's not working as good as others...?
Message was edited by: b1mstar I forgot to mention, that the phone got really warm, while I did nothing with it. -
Domain functional level 2003 -- 2008 and TMG 2010 (sp2 rollup 2)
Hi,
We want to raise our domain and forest functional level from 2003 to 2008. All DC's have been on 2008 or 2008R2 for about two years.
I cannot find if there is any impact on TMG 2010 sp2 rollup 2. Does anyone know if this will bring any issues?
Thanks!No impact. From a TMG perspective, go ahead.
Hth, Anders Janson Enfo Zipper
Maybe you are looking for
-
Unable to find requested Data Object
Hi, I import a standar data object in my DOE... It is a simple getlist and getdetail. I import all correctly, but when i activate it appear this error: "Unable to find requested Data Object" What happend? Thanks in advance, Regards,
-
Report shows "No data found" when validation fails
Hi folks, I'm new to the OTN and have a short question regarding validations/report pagination. We are using Apex 4.0.2.00.07. I have a page containing a report with three columns. First column is a checkbox (f30), the second one a date picker and th
-
Oracle - select execution time
hi all, when i executed an SQL - select (with joins and so on) - I have observed the following behaviour: Query execution times are like: - for 1000 records - 4 sec 5000 records - 10 sec 10000 records - 7 sec 25000 records - 16 sec 50000 records - 33
-
Using download_print_document with dynamic procedure
I am using the version of download_print_document that calls a function (returning clob) for my reports (see below). I need to dynamicaly change the procedure being called in p_report_data line based on what report they run. Is it possible to store t
-
Idoc sent with status 03 but not arrive to destination
Hi experts, I am working on idoc scenario on ECC6.0.I am pushing the idoc from R/3 system to Cast Iron Midleware (non SAP aplication).I have done all the prerequisites involved to pushing idoc----- maintain Rfc destinations,maintain port,partner prof