Solved

Failed to Raise Forest Function Level

Posted on 2015-01-28
8
292 Views
Last Modified: 2015-02-12
Currently 3 domain controllers in single domain.  2 servers Windows 2008 R2, 1 server Windows 2008 Standard.
The domain functional level is currently Windows 2008.  In the Ad Administrative Center, there is option to raise Forest Function level.  It was Win2003.  I initiated the Raise Forest Function Level to Win2008 and it failed.

This is the message when I go back to the "Raise the Forest Function:

"To raise the forest functional level, ensure that all domain controllers in the forest are running appropriate versions of Windows Server and there are no domains in the forest with a domain functional level set to Windows 2000 mixed."

I don't have any Windows 2000 or 2003 domain controllers.  There is one lowly Win2k3 member server still operating. I know that we converted to mixed mode when we were at w2k and wk3.  However, the same screen shows the Forest Function Level at Windows 2008.  How do I verify what the Forest Function level is?
Failed.FFL.JPG
0
Comment
Question by:cobmo
8 Comments
 
LVL 32

Accepted Solution

by:
it_saige earned 500 total points
Comment Utility
First you need to validate your Domain Functional Level:In 'Active Directory Domains and Trusts', right-click on your Domain and choose 'Properties'.The properties page will show you both the Domain and Forest Functional Level.In order to raise your Forest Functional Level, first ensure that your Domain Functional Level is *at least* Windows 2003 and that you don't have any Windows 2003 Servers in your domain (which you have stipulated that you do not).

https://technet.microsoft.com/library/understanding-active-directory-functional-levels(WS.10).aspx

You will also want to make sure that you don't have any Windows 2003 Domain Controllers left in the metadata for AD.



-saige-
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
What is the error message that you are getting? Have you checked to ensure that your AD replicaiton is working properly?

repadmin /replsum
repadmin /showrepl

Will.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
Comment Utility
A few simple things to look at:

1.  Check AD Sites and Services/Sites/Default-First-Site-Name (or other site name(s)) and make sure that there aren't any old objects left in there from DCs that have been decommissioned/removed from service.

2.  You can also check using adsiedit and again make sure that there aren't any old orphaned server objects left around that might be causing the error.
0
 

Author Comment

by:cobmo
Comment Utility
In checking the Domain properties, I see it indicates the correct version (see attachment). I thought maybe I hadn't given it enough time to replicate but its been several hours on a small domain (125 users).

I checked the Domain Controllers (dcdiag /a) before I started.  I ran the replication commands and all is fine that I can tell.

AD Sites and Services only shows the 3 domain controllers.  Is there a way I can see any detailed residue?  I have had DCs in the past but have always demoted before removing from network.

Remember, I do have a Win2k3 MEMBER server still in use but understand this process affects DCs only from my research.

We started this domain with NT.  The domain name was CITY.  When we started using the FQDN the domain became CITY.STATE.US.

In the user account profiles, I still see the names that say pre-Windows 2000.  We originally used just the last name (CITY\smith).  With the introduction of email, all new users became CITY.STATE.US\tsmith.  Does the pre-Windows reference need to be deleted?  This might be a separate issue but it seems to just linger in the user configs and Im not sure that hangs domain changes up.
Domain-Properties.JPG
userprofile2.jpg
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 32

Expert Comment

by:it_saige
Comment Utility
Correct, member servers/computers are not considered by this process, only Domain Controllers.  The pre-Windows reference does not need to be deleted.  From the information you have posted so far, your Domain and Forest Functional Levels are correct for your current DC landscape (1 Windows Server 2008 R2 DC and 2 Windows Server 2008 DC's).

I would run a dcdiag just to be safe.

-saige-
0
 
LVL 34

Expert Comment

by:Seth Simmons
Comment Utility
You can't raise the functional level higher than the lowest domain controller operating system version.

Your original post states you have 3 domain controllers - 1 2008 and 2 2008 R2.

Your screenshot shows the functional level as 2008.  You can't raise it to 2008 R2 because you have a 2008 domain controller.  Once that 2008 domain controller is demoted, that leaves you with only 2008 R2 domain controllers - then you can raise the functional level to 2008 R2.

So yes, I would expect that error message if you try to raise the functional level as-is.
0
 
LVL 32

Expert Comment

by:it_saige
Comment Utility
Seth he reported that he was raising from 2003 to 2008...

-saige-
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Before attempting to raise functional levels

Check if any domain controller has public dns IP is defined under tcp/ip dns settings under preferred \ secondary, remove it, restart netlogon and dns service

Ensure no stale DC exists in metadata
ensure that references to FRS or DFS Replication Member Object are correct

Move all your FSMO roles on single server, replicate it across forest \ domain and then check from each DC if netdom query fsmo output is same

Lastly ensure that AD replication and name resolution is working correctly by below commands
repadmin /showreps
repadmin /replsum * /bysrc /bydest /sort:delta
repadmin /syncall

Finally try to raise functional level from forest root domain controller holding FSMO
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Introduction People like FTP.  It's a solid, stable, robust protocol for quickly transferring files between two hosts using TCP/IP.  In most cases it's much faster than SMB or CIFS, and certainly much easier to set up between organizations.  This…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now