Raising DFL 2003 to 2008R2

  • 175 Views
  • Last Post 12 October 2015
Llara posted this 10 October 2015

We are looking at raising the Domain Functional level from 2003 to 2008 R2 and we were wondering if we can get some suggestion on how to safely approach it? Should we get this done from a DC that holds a particular set of FSMO roles? Anything that we need to be aware like issues or requirements that we need to clear before raising the level? Any way to do it so that we can test and then roll it to the rest of domain controllers? Best way and process to roll back if something happens? 
These are questions that I have in mind but I am looking for advice on anything else that I am sure we are missing and should be considering. 
Thank you in advance to everyone! 

Order By: Standard | Newest | Votes
kurtbuff posted this 10 October 2015

My org just did this a month ago.
I presume that all of your DCs are at least 2008R2, and you're

running a single domain forest, however - because that's all I can speak

to. There might, or might not, be other considerations for more complex

show

abhay.ipg posted this 11 October 2015

Hello Luis,
There is no such major risk in doing this however check your dependency which is based on DC because if you have to set windows server 2008 R2 function level then only Windows Server 2008 R2 DC can be supported.
Hence, my suggestion would be to check the dependency then you are all set to move forward. Thanks
a
Regards,
Abhay Singh
Email:- Abhay.ipg@xxxxxxxxxxxxxxxx
Cell :- +91-8527676669
Skype:- abhayit1

show

ZJORZ posted this 11 October 2015

Hi, Known “issues” when increasing the DFL/FFL are:·         Password of KRBTGT account is changed (specific when coming from DFL W2K3)·         Applications/systems that check for hardcoded DFL (e.g. it must be W2K3) instead of checking for minimum DFL (e.g. at least W2K3)·         Advanced Encryption Standard (AES 128 and AES 256) support becomes available for the Kerberos protocol Additional information: ·         http://blogs.technet.com/b/askpfeplat/archive/2012/04/09/a-few-things-you-should-know-about-raising-the-dfl-and-or-ffl-to-windows-server-2008-r2.aspx·         http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx·         http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28v=ws.10%29.aspx·         http://support.microsoft.com/kb/322692  Met vriendelijke groeten / Kind regards, Jorge de Almeida Pinto*: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx(: +31 (0)6 26.26.62.80 Description: Description: Description: Description: Think Green 

show

PARRIS posted this 11 October 2015

Some very old versions of winbind fail to work, if you have no Linux then this won't be an issue.





Regards,



 



Mark Parris



 



Active Directory & Hybrid Identity Consultant



 



MVP Enterprise Mobility | MCM Directory Services



Mobile: +44 7801

690596




E-mail: mark@xxxxxxxxxxxxxxxx 



 

Twitter | Blog | LinkedIn | Skype |About.me

show

Llara posted this 11 October 2015

Anytime something is introduce to production we have to have a way out - Anyone can please provide any  suggestions on how to roll back if something does not work as expected? 
Also can we shut down some DCs and raise the DFL then confirm functionality finally power up the other DCs. 
If something goes wrong can we do an authoritative restore of AD to bring the DFL back to its original level? 
I am trying to define what's the best action plan to get this completed we have a Forrest Root domain and a child domain (5 DCs) the child will be the one changing the level. 
  


show

ZJORZ posted this 11 October 2015

Once you configure the new DFL you cannot go back to W2K3 Your rollback plan is a domain recovery using the most recent backups If you have a multi domain forest, in addition you would need to rebuild the partition of the restored domain on GCs in other domains Met vriendelijke groeten / Kind regards, Jorge de Almeida Pinto: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx(: +31 (0)6 26.26.62.80 Description: Description: Description: Description: Think Green 

show

slavickp posted this 12 October 2015

Most recently I just state there will be no rollback: the only plan is hugely disruptive. Note: you must practice domain and forest recovery, for reasons other than having rollback plan for DFL elevation.
Regards
Slav
MCM-DS
On 12 Oct 2015, at 4:12 AM, Luis Lara <lluis.lara@xxxxxxxxxxxxxxxx> wrote:
Anytime something is introduce to production we have to have a way out - Anyone can please provide any  suggestions on how to roll back if something does not work as expected? 
Also can we shut down some DCs and raise the DFL then confirm functionality finally power up the other DCs. 
If something goes wrong can we do an authoritative restore of AD to bring the DFL back to its original level? 
I am trying to define what's the best action plan to get this completed we have a Forrest Root domain and a child domain (5 DCs) the child will be the one changing the level. 
  


show

kevinrjames posted this 12 October 2015

You can ‘revert’ down to 2008, but no further.  /kj 

show

Close