Solved

Risks/Issues associated with upgrading Domain Function Level?

Posted on 2015-01-19
3
245 Views
Last Modified: 2015-01-20
Hi,

We currently run our AD on 2008 R2 Function Level. Both our Domain Controllers are running Windows 2012 R2 and most of our member servers are also running 2012 R2 standard.

We have 2 ADFS servers in a cluster for Single-Sign-On against Office 365 and 2x ADFS PROXY servers in a cluster on a separate subnet (also for external Single-Sign-On to Office 365). These 4 servers run Windows 2008 R2 Standard.

My question is simple: are there any risks associated with simply upgrading the domain function level?

Here's the output of "dcdiag /v"

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   * Verifying that the local machine COMPANY-DC1, is a Directory Server. 
   Home Server = COMPANY-DC1

   * Connecting to directory service on server COMPANY-DC1.

   * Identified AD Forest. 
   Collecting AD specific global data 
   * Collecting site info.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=COMPANY,DC=local,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded 
   Iterating through the sites 
   Looking at base site object: CN=NTDS Site Settings,CN=COMPANY,CN=Sites,CN=Configuration,DC=COMPANY,DC=local
   Getting ISTG and options for the site
   * Identifying all servers.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=COMPANY,DC=local,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers 
   Getting information for the server CN=NTDS Settings,CN=COMPANY-DC1,CN=Servers,CN=COMPANY,CN=Sites,CN=Configuration,DC=COMPANY,DC=local 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=COMPANY-BACKUP1,CN=Servers,CN=COMPANY,CN=Sites,CN=Configuration,DC=COMPANY,DC=local 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.

   * Found 2 DC(s). Testing 1 of them.

   Done gathering initial info.


Doing initial required tests

   
   Testing server: COMPANY\COMPANY-DC1

      Starting test: Connectivity

         * Active Directory LDAP Services Check
         Determining IP4 connectivity 
         * Active Directory RPC Services Check
         ......................... COMPANY-DC1 passed test Connectivity



Doing primary tests

   
   Testing server: COMPANY\COMPANY-DC1

      Starting test: Advertising

         The DC COMPANY-DC1 is advertising itself as a DC and having a DS.
         The DC COMPANY-DC1 is advertising as an LDAP server
         The DC COMPANY-DC1 is advertising as having a writeable directory
         The DC COMPANY-DC1 is advertising as a Key Distribution Center
         The DC COMPANY-DC1 is advertising as a time server
         The DS COMPANY-DC1 is advertising as a GC.
         ......................... COMPANY-DC1 passed test Advertising

      Test omitted by user request: CheckSecurityError

      Test omitted by user request: CutoffServers

      Starting test: FrsEvent

         * The File Replication Service Event log test 
         Skip the test because the server is running DFSR.

         ......................... COMPANY-DC1 passed test FrsEvent

      Starting test: DFSREvent

         The DFS Replication Event Log. 
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL

         replication problems may cause Group Policy problems. 
         A warning event occurred.  EventID: 0x80001396

            Time Generated: 01/18/2015   23:53:05

            Event String:

            The DFS Replication service is stopping communication with partner COMPANY-BACKUP1 for replication group Domain System Volume due to an error. The service will retry the connection periodically. 

             

            Additional Information: 

            Error: 9036 (Paused for backup or restore) 

            Connection ID: 673E12AD-E08A-4E51-BEDF-B7A025B3A9C6 

            Replication Group ID: 9BB5FED0-3EBE-4671-9834-9104902F509A

         ......................... COMPANY-DC1 passed test DFSREvent

      Starting test: SysVolCheck

         * The File Replication Service SYSVOL ready test 
         File Replication Service's SYSVOL is ready 
         ......................... COMPANY-DC1 passed test SysVolCheck

      Starting test: KccEvent

         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... COMPANY-DC1 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         Role Schema Owner = CN=NTDS Settings,CN=COMPANY-DC1,CN=Servers,CN=COMPANY,CN=Sites,CN=Configuration,DC=COMPANY,DC=local
         Role Domain Owner = CN=NTDS Settings,CN=COMPANY-DC1,CN=Servers,CN=COMPANY,CN=Sites,CN=Configuration,DC=COMPANY,DC=local
         Role PDC Owner = CN=NTDS Settings,CN=COMPANY-DC1,CN=Servers,CN=COMPANY,CN=Sites,CN=Configuration,DC=COMPANY,DC=local
         Role Rid Owner = CN=NTDS Settings,CN=COMPANY-DC1,CN=Servers,CN=COMPANY,CN=Sites,CN=Configuration,DC=COMPANY,DC=local
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=COMPANY-DC1,CN=Servers,CN=COMPANY,CN=Sites,CN=Configuration,DC=COMPANY,DC=local
         ......................... COMPANY-DC1 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         Checking machine account for DC COMPANY-DC1 on DC COMPANY-DC1.
         * SPN found :LDAP/COMPANY-DC1.COMPANY.local/COMPANY.local
         * SPN found :LDAP/COMPANY-DC1.COMPANY.local
         * SPN found :LDAP/COMPANY-DC1
         * SPN found :LDAP/COMPANY-DC1.COMPANY.local/COMPANY
         * SPN found :LDAP/9df5026d-8b8b-4a91-9678-8178ea03ccb9._msdcs.COMPANY.local
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/9df5026d-8b8b-4a91-9678-8178ea03ccb9/COMPANY.local
         * SPN found :HOST/COMPANY-DC1.COMPANY.local/COMPANY.local
         * SPN found :HOST/COMPANY-DC1.COMPANY.local
         * SPN found :HOST/COMPANY-DC1
         * SPN found :HOST/COMPANY-DC1.COMPANY.local/COMPANY
         * SPN found :GC/COMPANY-DC1.COMPANY.local/COMPANY.local
         ......................... COMPANY-DC1 passed test MachineAccount

      Starting test: NCSecDesc

         * Security Permissions check for all NC's on DC COMPANY-DC1.
         The forest is not ready for RODC. Will skip checking ERODC ACEs.
         * Security Permissions Check for

           DC=ForestDnsZones,DC=COMPANY,DC=local
            (NDNC,Version 3)
         * Security Permissions Check for

           DC=DomainDnsZones,DC=COMPANY,DC=local
            (NDNC,Version 3)
         * Security Permissions Check for

           CN=Schema,CN=Configuration,DC=COMPANY,DC=local
            (Schema,Version 3)
         * Security Permissions Check for

           CN=Configuration,DC=COMPANY,DC=local
            (Configuration,Version 3)
         * Security Permissions Check for

           DC=COMPANY,DC=local
            (Domain,Version 3)
         ......................... COMPANY-DC1 passed test NCSecDesc

      Starting test: NetLogons

         * Network Logons Privileges Check
         Verified share \\COMPANY-DC1\netlogon
         Verified share \\COMPANY-DC1\sysvol
         ......................... COMPANY-DC1 passed test NetLogons

      Starting test: ObjectsReplicated

         COMPANY-DC1 is in domain DC=COMPANY,DC=local
         Checking for CN=COMPANY-DC1,OU=Domain Controllers,DC=COMPANY,DC=local in domain DC=COMPANY,DC=local on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=COMPANY-DC1,CN=Servers,CN=COMPANY,CN=Sites,CN=Configuration,DC=COMPANY,DC=local in domain CN=Configuration,DC=COMPANY,DC=local on 1 servers
            Object is up-to-date on all servers.
         ......................... COMPANY-DC1 passed test ObjectsReplicated

      Test omitted by user request: OutboundSecureChannels

      Starting test: Replications

         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=COMPANY,DC=local
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=DomainDnsZones,DC=COMPANY,DC=local
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Schema,CN=Configuration,DC=COMPANY,DC=local
               Latency information for 5 entries in the vector were ignored.
                  5 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=COMPANY,DC=local
               Latency information for 5 entries in the vector were ignored.
                  5 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=COMPANY,DC=local
               Latency information for 5 entries in the vector were ignored.
                  5 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         ......................... COMPANY-DC1 passed test Replications

      Starting test: RidManager

         * Available RID Pool for the Domain is 5120 to 1073741823
         * COMPANY-DC1.COMPANY.local is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 4120 to 4619
         * rIDPreviousAllocationPool is 4120 to 4619
         * rIDNextRID: 4150
         ......................... COMPANY-DC1 passed test RidManager

      Starting test: Services

         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: DFSR
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... COMPANY-DC1 passed test Services

      Starting test: SystemLog

         * The System Event log test
         Found no errors in "System" Event log in the last 60 minutes.
         ......................... COMPANY-DC1 passed test SystemLog

      Test omitted by user request: Topology

      Test omitted by user request: VerifyEnterpriseReferences

      Starting test: VerifyReferences

         The system object reference (serverReference) CN=COMPANY-DC1,OU=Domain Controllers,DC=COMPANY,DC=local and backlink on

         CN=COMPANY-DC1,CN=Servers,CN=COMPANY,CN=Sites,CN=Configuration,DC=COMPANY,DC=local are correct. 
         The system object reference (serverReferenceBL)

         CN=COMPANY-DC1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=COMPANY,DC=local and backlink

         on CN=NTDS Settings,CN=COMPANY-DC1,CN=Servers,CN=COMPANY,CN=Sites,CN=Configuration,DC=COMPANY,DC=local are correct. 
         The system object reference (msDFSR-ComputerReferenceBL)

         CN=COMPANY-DC1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=COMPANY,DC=local and backlink

         on CN=COMPANY-DC1,OU=Domain Controllers,DC=COMPANY,DC=local are correct. 
         ......................... COMPANY-DC1 passed test VerifyReferences

      Test omitted by user request: VerifyReplicas

   
      Test omitted by user request: DNS

      Test omitted by user request: DNS

   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : COMPANY

      Starting test: CheckSDRefDom

         ......................... COMPANY passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... COMPANY passed test CrossRefValidation

   
   Running enterprise tests on : COMPANY.local

      Test omitted by user request: DNS

      Test omitted by user request: DNS

      Starting test: LocatorCheck

         GC Name: \\COMPANY-DC1.COMPANY.local

         Locator Flags: 0xe000f3fd
         PDC Name: \\COMPANY-DC1.COMPANY.local
         Locator Flags: 0xe000f3fd
         Time Server Name: \\COMPANY-DC1.COMPANY.local
         Locator Flags: 0xe000f3fd
         Preferred Time Server Name: \\COMPANY-DC1.COMPANY.local
         Locator Flags: 0xe000f3fd
         KDC Name: \\COMPANY-DC1.COMPANY.local
         Locator Flags: 0xe000f3fd
         ......................... COMPANY.local passed test LocatorCheck

      Starting test: Intersite

         Skipping site COMPANY, this site is outside the scope provided by the command line arguments provided. 
         ......................... COMPANY.local passed test Intersite

Open in new window

0
Comment
Question by:cegeland
  • 2
3 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40558456
There should be no issues at all upgrading from 2008R2 to 2012R2 functional levels. Upgrading the functional levels simply opens up the new features in later version of Active Directory.

This only affect the domain contollers directly in your environment and what they are capable of doing at the new functional level.

Make sure that you have checked your  replication and it is working accordingly without issues.,

repadmin /replsum
repadmin /showrepl
repadmin /bridgeheads

Aside from that it should be fine.

Will.
0
 

Author Comment

by:cegeland
ID: 40558644
Thank you for your reply.

So just to make sure - this is the results of the commands. Everything seems fine to me - ok to proceed? No chance I will mess up the Office 365 Single-Sign-On? Sorry for being a bit paranoid, I've just had bad experiences with the ADFS in the past :)

repadmin /replsum:
Replication Summary Start Time: 2015-01-19 22:38:28

Beginning data collection for replication summary, this may take awhile:
  .....


Source DSA          largest delta    fails/total %%   error
 COMPANY-BACKUP1               50m:43s    0 /   5    0
 COMPANY-DC1                   50m:58s    0 /   5    0


Destination DSA     largest delta    fails/total %%   error
 COMPANY-BACKUP1               50m:59s    0 /   5    0
 COMPANY-DC1                   50m:43s    0 /   5    0

Open in new window


repadmin /showrepl:
Repadmin: running command /showrepl against full DC localhost
COMPANY\COMPANY-DC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 9df5026d-8b8b-4a91-9678-8178ea03ccb9
DSA invocationID: 6a5c5269-c30f-41b7-9a69-e17b8d27d9fe

==== INBOUND NEIGHBORS ======================================

DC=COMPANY,DC=local
    COMPANY\COMPANY-BACKUP1 via RPC
        DSA object GUID: 4f3d9bfd-63c6-404b-a5cf-48631f2f9f9e
        Last attempt @ 2015-01-19 22:38:25 was successful.

CN=Configuration,DC=COMPANY,DC=local
    COMPANY\COMPANY-BACKUP1 via RPC
        DSA object GUID: 4f3d9bfd-63c6-404b-a5cf-48631f2f9f9e
        Last attempt @ 2015-01-19 21:47:45 was successful.

CN=Schema,CN=Configuration,DC=COMPANY,DC=local
    COMPANY\COMPANY-BACKUP1 via RPC
        DSA object GUID: 4f3d9bfd-63c6-404b-a5cf-48631f2f9f9e
        Last attempt @ 2015-01-19 21:47:48 was successful.

DC=DomainDnsZones,DC=COMPANY,DC=local
    COMPANY\COMPANY-BACKUP1 via RPC
        DSA object GUID: 4f3d9bfd-63c6-404b-a5cf-48631f2f9f9e
        Last attempt @ 2015-01-19 21:47:54 was successful.

DC=ForestDnsZones,DC=COMPANY,DC=local
    COMPANY\COMPANY-BACKUP1 via RPC
        DSA object GUID: 4f3d9bfd-63c6-404b-a5cf-48631f2f9f9e
        Last attempt @ 2015-01-19 21:47:51 was successful.

Open in new window


repadmin /bridgeheads:
Repadmin: running command /bridgeheads against full DC localhost
Gathering topology from site COMPANY (COMPANY-DC1.COMPANY.local):

Bridgeheads for site COMPANY (COMPANY-BACKUP1.COMPANY.local):
             Source Site    Local Bridge  Trns         Fail. Time    #    Status
         ===============  ==============  ====  =================   ===  ========

Open in new window

0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40558857
Yep everything looks good. As stated the only thing that changes is the features that you can use once the domain FFL and DFL have been raised.

Will.
0

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
A procedure for exporting installed hotfix details of remote computers using powershell
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now