Things to be considered before AD - domain and forest functional level upgrade (win 2003 to 2008 R2)

Similar Messages

• Which domain and forest functional level is supportted for the "Active Directory Resource Pool Synchronization"?

  Hi all,
  I'd like to confirm which Domain/Forest functional levels of Active Directory is supported for "Active Directory Resource Pool Synchronization" in Project Server 2013.
  I guess that 2003 or later is supported, but my customer required reliable sources.
  I googled and searched article at TechNet, but I couldn't find.
  Could anyone inform me the article about that?
  Thank you in advance.
  Kaori.

  Hi Michael and all,
  Anyway I solved this issue.
  I couldn't find article that I desired, so I asked advice to my colleagues and they told that the functional level 2003 or later are supported in their experience.
  In addition, I found these articles about SharePoint sync limitations.
  Members of the domain local group cannot view a Microsoft Office SharePoint Server 2007 Web site
  http://support.microsoft.com/kb/932378/en-us
  SharePoint supportability of Read only Domain controllers
  http://support.microsoft.com/kb/970612

• Domain / Forest functional levels

  I've done some research but really need someone to tell me I've got this right in my head...
  I've got 2 domains in the forest, the forest functional level is 2003. Here's the setup:
  domain1.local
  root domain
  2 DCs running W2K8R2
  DFL - 2003
  domain2.local
  1 DC running W2012R2
  1 DC running W2K3 (soon to be retired)
  DFL - 2003
  Can I upgrade the DFL of domain1 to 2008R2?
  Can I upgrade the FFL to 2008R2 while maintaining trust?
  Do the domain and forest functional levels have to match?
  Thanks in advance for any answers!

  > Can I upgrade the DFL of domain1 to 2008R2?
  Yes.
  > Can I upgrade the FFL to 2008R2 while maintaining trust?
  Yes.
  > Do the domain and forest functional levels have to match?
  No.
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Looking for a Microsoft products compatibility matix and AD functional levels.

  I need to upgrade the AD Forest Functional level from Windows 2003 to Windows 2008 R2. A products compatibility matrix would be a big help.
  Both domain controllers are Windows 2008 R2.
  Forest Functional Level - Windows 3003.
  Domain Functional Level - Windows 2008 R2
  We have an old SharePoint Services 2.0 server and I need to know if changing the Forest Level will break the SharePoint site.
  Additionally, we have MSSQL 2005 and 2008.
  Any help is greatly appreciated.
  Dave 

  Hello,
  for Sharepoint please see
  http://social.msdn.microsoft.com/Forums/office/en-US/f8933979-f993-4325-b931-31be023df1d5/is-sharepoint-portal-server-2003-supported-with-active-directory-domain-services-2012?forum=sharepointadminlegacy and if that doesn't help please ask in the same forum.
  This is more about Sharepoint then AD.
  MS SQL is not related with FFL/DFL. To be sure ask the SQL server guys in
  http://social.technet.microsoft.com/Forums/sqlserver/en-us/home?category=sqlserver
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• Credentials needed to raise domain and forest level from 2003 to 2012 R2.

  I migrated our environment from a single DC server 2003 to a single DC server 2012 R2.  I followed the migration process that is documented by Microsoft and others.
  However, I forgot to assign my account Enterprise Admin and Schema Admin before raising the domain and forest levels from 2003 to 2012 R2.  My account did have domain admin.  The GUI interface did not complain when I raised the level of the domain
  and then the forest.
  So I am thinking everything is OK.
  My question is am I going to have problems down the road with the AD environment?
  Thanks for any help or opinions.

  Using snapshot for a domain controller is not recommended, as usn rollback can occur. Allthough in server 2012 using snapshot for dc's has been improved and made 'safer', but I wouldnt use it as a backup solution.
  But back to your problem, Beaulieu, is it a single domain/single forest design? And the issue is that you have no membership in schema- and enterprise admins, but you do have an domain admin?
  Best Regards,
  Jesper Vindum, Denmark
  Systems Administrator
  Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

• Re: File sync across servers different domains and forests

  I don't see why that would be an issue however I have only ever used it in exchange 2013

  Hey Guys
  Just seeing if anyone had any idea for software to sync drives/folders between 2 servers over the internet. We 2 separate domains and forests running. 1 location uses 1 domain and then 3 locations use the second domain. However we need to be able to sync some folders between the 2 domains as staff are all technically running under the single organization name (very confusing). I wanted to use DFS but obviously cant due to the forest restraints here.
  The staff all use a terminal server and have a mapped drive with directory structure and need so basically have that syncing both ways as each side will have their own structure that needs to sync back to the other site.
  Sorry if that's confusing
  Thanks
  This topic first appeared in the Spiceworks Community

• Windows 2008 R2 domain controllers with Windows 2003 forest functional level Supported after Windows 2003 support ends in July 2015

  Hi
  Anyone knows whether Windows 2008 R2 domain controllers with Windows 2003 forest functional level will still be Supported after Windows 2003 support ends in July 2015 ?
  Thanks

  When Windows Server 2003 support ends, you should not have a Windows Server 2003 Domain Controller running if you would like to be supported by Microsoft. This means that there will be no reason to have a DFL or FFL that is lower than Windows Server 2008.
  So, if you are keeping Windows Server 2003 FFL to keep DCs running Windows Server 2003 then this is not supported.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Raising Domain Functional / Forest Functional Levels

  Hi guys,
  I've upgraded my AD servers to Windows 2012 and have removed all the Windows 2003 servers in my network.
  However, I wish to implement fine grained password policy. However, my Forest and Domain Functional levels are still at 2003. The minimum requirement for fine grained password policy states that the domain functional level must be set to
  Windows Server 2008 or higher.
  How do I go about raising the Forest / Domain functional level? Which functional level should I raise first (the forest or domain)? Will there be any downtime and implications if I were to perform the raise?
  Thanks guys!!

  Hi guys,
  I've upgraded my AD servers to Windows 2012 and have removed all the Windows 2003 servers in my network.
  However, I wish to implement fine grained password policy. However, my Forest and Domain Functional levels are still at 2003. The minimum requirement for fine grained password policy states that the domain functional level must be set to
  Windows Server 2008 or higher.
  How do I go about raising the Forest / Domain functional level? Which functional level should I raise first (the forest or domain)? Will there be any downtime and implications if I were to perform the raise?
  Thanks guys!!
  There will be no downtime when raising your Domain Functional Level or Forest Functional Level.
  All you need to know is that by raising your DFL to Windows Server 2008 or higher, you will not be able to set it back to Windows Server 2003 without a recovery from backup (This is not a reversible operation without restore). Also, you will need to have
  DCs that are running OSs with the same level as your DFL or higher.
  If you are not planning to add DCs that are running OSs lower than Windows Server 2012 then simply raise your DFL and FFL to Windows Server 2012. FYI, as long as you have not enabled AD recycle Bin, you can downgrade the DFL and FFL to Windows Server 2008.
  More about the benefits you can take by raising your DFL and FFL here: https://technet.microsoft.com/en-gb/library/understanding-active-directory-functional-levels(v=ws.10).aspx
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Lingering 2003 DC causing Domain Functional Level Upgrade fail

  Got that one too :(
  I can't find hide nor hair of this darn beast anywhere

  Have a DEAD 2003 DC - check
  Have removed it from AD via GUI (ADUC) deletion - Check
  Cleaned up DNS - Check and double check
  Review LostandFound container in ADSI edit - Check - No objects present
  Right click Domain Name in ADUC, select Raise Domain Functional level - F A I L
  Run through NTDSUTIL Metadata cleanup steps (MS technet article) - The server object isn't there
  What am I missing here? I've gone back over DNS, searched for the computer object, rechecked ADSI LostandFound, rechecked NTDSUTIL .. I'm at a hard loss to figure out what's stopped the Functional Level upgrade.
  Any ideas?
  This topic first appeared in the Spiceworks Community

• Domain functional level upgraded to 2008 r2 native mode but query states 2003

  Nothing :(

  I raised the domain functional level last night to 2008 r2 native mode and after allowing everything to sync i ran the command get-addomain .domainmode and it came back ast windows2003forest. 
  I dont understand why it is showing up this way, we removed all of the 2003 domain controllers and server from our network before doing this...Any suggestions?
  This topic first appeared in the Spiceworks Community

• USMT between separate domains and forests

  Hi!
  I have a problem with migrating profiles from an old domain to a new one when doing OSD on them. Usernames is the same in both domain an SidHistory is migrated. The domains are in two separate forests and a one-way trust exists from the old domain to the
  new one.
  I'm running the following command on a test VM in the new domain after saving the user state from a VM in the old domain:
  loadstate.exe C:\USMTShare /c /l:C:\logs\loadstate.log /progress:C:\logs\loadstateprogress.log /i:C:\USMT6.3\migdocs.xml /v:5 /i:C:\USMT6.3\migapp.xml /md:olddomain.com:newdomain.org
  This gives me the following output in the loadstate.log:
  2014-02-13 18:03:30, Info [0x000000] User olddomain\Mig.Test0001 maps to S-1-5-21-8915387-1198066105-xxxxxxxxxx-19198
  2014-02-13 18:03:30, Info [0x000000] Adding domain account newdomain\Mig.Test0001 (S-1-5-21-8915387-1198066105-xxxxxxxxxx-19198)
  2014-02-13 18:03:30, Info [0x0803b2] Adding user S-1-5-21-8915387-1198066105-xxxxxxxxxx-19198, newdomain\Mig.Test0001
  2014-02-13 18:03:30, Info [0x0803b3] User S-1-5-21-8915387-1198066105-xxxxxxxxxx-19198, newdomain\Mig.Test0001 added successfully
  2014-02-13 18:03:30, Status [0x000000] Activity: 'MIGACTIVITY_PROFILE_CREATE'
  2014-02-13 18:03:30, Info [0x000000] Entering MigGetRealPlatform method
  2014-02-13 18:03:30, Info [0x000000] Leaving MigGetRealPlatform method
  2014-02-13 18:03:30, Info [0x000000] Creating profile for target user newdomain\Mig.Test0001 (source user olddomain\Mig.Test0001)
  2014-02-13 18:03:30, Info [0x080000] Mig::COnlineWinNTPlatform::CreateProfileForUser: Called for user newdomain\Mig.Test0001 with ProfileSuffix: (NULL)
  2014-02-13 18:03:30, Info [0x080000] Creating profile for user S-1-5-21-8915387-1198066105-xxxxxxxxxx-19198, newdomain\Mig.Test0001 ((NULL)). Using existent SID
  2014-02-13 18:03:31, Info [0x080000] Adding indirect mapping for HKCU (C:\Users\Mig.Test0001\NTUSER.DAT) to 0x80000003, S-1-5-21-8915387-1198066105-xxxxxxxxxx-19198
  2014-02-13 18:03:31, Info [0x0803e2] Adding indirect mapping from HKCU to <C:\Users\Mig.Test0001\NTUSER.DAT> loaded at HKEY_USERS\S-1-5-21-8915387-1198066105-xxxxxxxxxx-19198 (R/W)
  So the profile is restored, the profile name looks fine in System Properties -> User Profiles (Changes from "Account Unknown" to "NEWDOMAIN\Mig.Test0001" after the loadstate.exe command.) The Problem is, when this user logs in a new
  profile is created anyway and a new folder is created (c:\users\Mig.Test0001.NEWDOMAIN).
  When taking a look at the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList, I can see that the sid for Mig.Test0001 from OLDDOMAIN is present and are corresponding to the migrated profile. When I'm logging in
  as NEWDOMAIN\Mig.Test0001, the new sid is created here. If I replace the old SID with the new SID before logging in with NEWDOMAIN\Mig.Test0001, the migrated profile is used.
  So it looks like loadstate.exe finds the corresponding account in OLDDOMAIN for the SID it finds in the StateStore, and instead of finding the corresponding user account in the NEWDOMAIN and use the SID for that, it uses the SidHistory attribute.
  Is there a way to change this behavior so that the new accounts Sid is being used instead of the old ones, even if using SidHistory?

  Hi,
  How about using "/mu" instead of "/md"?
  If this cannot work, I suggest you that writing a script to replace the SID.
  Best Regards,
  Joyce Li
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Adding DC to an existing domain and forest

  Hi, I have an existing forest and domain. Its roles are: Domain Services and DNS. We have a branch office and setup a new server. In this new server, we set this as well to be the DC of that remote site and added a third role which is DHCP for their own
  network. We added another server as backup of this branch office. In the process of adding the role, I accidentally checked both domain controller and global catalog. I remember that both of this cannot be GC or is it ok for both to be GC besides DC?
  Thanks
  Jeff

  Hello,
  there is no problem having ALL DCs to be GC also.
  Don't forget to configure AD sites and services with the new subnets and also the sites containing the correct DCs.
  https://technet.microsoft.com/en-us/library/cc730868.aspx?f=255&MSPPError=-2147217396
  http://blogs.technet.com/b/askds/archive/2011/04/29/sites-sites-everywhere.aspx
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• Config Manager 2012 setup w/ SQL DB in a different domain and Forest

  Hi all I'm hoping these are easy questions.  The SQL admins in my environment are pushing for me to have the DB hosted on the managed SQL servers vs on the PSS.  The only potential problem is that the SQL servers currently are in a different domain/forest. 
  There is a two trust between forests. The managed workstations will be in the same domain as the SCCM infrastructure.  There will not be any managed workstations in domain where the SQL server resides.  Eventually all SQL servers will be moved to
  a different domain, but it will not be the same domain as the SCCM infrastructure.  My questions are below
  Will I need to have another PSS in the same domain as the SQL Server?  If yes then i assume I'll need a CAS as well to manage both PSS.
  Since the SQL servers will eventually be moved to another domain/forest, which will have a two was trust as well, what are the potential issues that can arise from this?
  Thanks

  Technically what you're asking for will work.  THat said:  you should be willing to demonstrate to your SQL team that SCCM will be fully capable of overwriting, dismounting and otherwise destroying every database on that shared SQL server due to
  the ridiculously elevated permissions required on said said SQL system.
  To clarify:
  SCCM will require local administrator permissions to every node in the cluster.  When it connects, it will immediately install a server role on said cluster.  It will also require full administrative access to the instance the database will reside
  in.  By the time all this fun stuff is open, anyone who knows how to open up a command prompt under the system context of your SCCM server will be able to to all sorts of fun stuff that really REALLY won't make your SQL team very happy.
  I'd fight the desire tooth and nail.  If they threaten to not support the SQL instance I'd be OK with that even.  Microsoft won't even support you if you make any edits/changes to the SQL database directly anyway.

• Has anyone experienced loss of camera and flash functionality after upgrading to iOS 6.1.2?

  I just updated to iOS 6.1.2 and now the shutter on the native camera and other camera apps won't open nor does the flash work.  Sometimes it tries to open and crashes, and sometimes it just stays closed.  I have restored the phone and there's no change.  Anyone else experienced this?

  Same happened to me today.
  At night I charge my phone and set it to "Flight Mode".
  I got up at 6:42am and unpluged the phone at 6:45.
  I did not use my phone at all until 10:40am, but the battery sank to 22% until this time.
  How can it be fixed? Why is Apple so much more expensive than other phones (wich are better by the way), but it's not working as good as others...?
  Message was edited by: b1mstar I forgot to mention, that the phone got really warm, while I did nothing with it.

• Domain functional level 2003 -- 2008 and TMG 2010 (sp2 rollup 2)

  Hi,
  We want to raise our domain and forest functional level from 2003 to 2008. All DC's have been on 2008 or 2008R2 for about two years.
  I cannot find if there is any impact on TMG 2010 sp2 rollup 2. Does anyone know if this will bring any issues?
  Thanks!

  No impact. From a TMG perspective, go ahead.
  Hth, Anders Janson Enfo Zipper