mudcow007
asked on
Server 2000 DC moving to Server 2012R2 - forest functional level
hello, we have a domain containing one DC (other DC failed) which is running server 2000, the domain functional level is 2000
the 2000 server is the last to be replaced in our domain, everythign else is using Server 2012/ 2012R2
i have two brand new 2012 servers that i want to take over the running of the domain, i have just tried to promo one of the new servers an hit an error
"Verification of replica failed. the forest functional level is Windows 2000. To install Windows Server 2012 R2 domain or domain controller, the forest functional level must be Windows Server 2003 or higher"
now, will the existing DC (W2k) upgrade the domain functional level to 2003 - if so how can i do it without effect domain services
ideas?
the 2000 server is the last to be replaced in our domain, everythign else is using Server 2012/ 2012R2
i have two brand new 2012 servers that i want to take over the running of the domain, i have just tried to promo one of the new servers an hit an error
"Verification of replica failed. the forest functional level is Windows 2000. To install Windows Server 2012 R2 domain or domain controller, the forest functional level must be Windows Server 2003 or higher"
now, will the existing DC (W2k) upgrade the domain functional level to 2003 - if so how can i do it without effect domain services
ideas?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
In a vacuum, yes what you propose would work.
HOWEVER!!!!
Anybody who has 2008 R2 machines "hanging around" probably has them doing stuff. If they are sitting idle, I'd ask what is the point of that? A machine that you have to patch, maintain, still may have vulnerabilities (every OS ever has them) so sitting idle is a security concern to be sure. So....let's assume these machines actually have workloads. Will those workloads like the machine suddenly being a DC? Probably not. MOST workloads will fall over because of the underlying changes a DC makes to the local security landscape.
As far as whether it can be done in a live environment, possibly. But certainly not all at once. Because this is your only DC, if you demote it too soon after introducing the new one, you'll introduce challenges with clients finding the new DC given the default TTL in windows DNS and potential DHCP lease changes you'll also have to make. You are looking at introducing incremental changes spanning weeks. Not one big-bang deployment.
HOWEVER!!!!
Anybody who has 2008 R2 machines "hanging around" probably has them doing stuff. If they are sitting idle, I'd ask what is the point of that? A machine that you have to patch, maintain, still may have vulnerabilities (every OS ever has them) so sitting idle is a security concern to be sure. So....let's assume these machines actually have workloads. Will those workloads like the machine suddenly being a DC? Probably not. MOST workloads will fall over because of the underlying changes a DC makes to the local security landscape.
As far as whether it can be done in a live environment, possibly. But certainly not all at once. Because this is your only DC, if you demote it too soon after introducing the new one, you'll introduce challenges with clients finding the new DC given the default TTL in windows DNS and potential DHCP lease changes you'll also have to make. You are looking at introducing incremental changes spanning weeks. Not one big-bang deployment.
Hi,
there is a lot of solved question in EE, so have a look first then feed back if don't match your case:
https://www.experts-exchange.com/questions/23913804/Active-directory-migration-from-Win-2000-versus-Win-2008-domain.html
https://www.experts-exchange.com/questions/27713251/Windows-2000-to-2003-migration-with-non-integrated-domains.html
https://www.experts-exchange.com/questions/25067890/Backing-up-Windows-2000-Active-Directory-Domain-Controller-and-Restoring-to-test-upgrade-to-2008-AD-DC.html
https://www.experts-exchange.com/questions/22728136/Import-User-Accounts-Settings-From-Windows-2000-AD-to-Windows-2003-AD.html
https://www.experts-exchange.com/questions/28122028/AD-2000-2003-to-AD-2012-migration.html
https://www.experts-exchange.com/questions/27946693/Upgrading-Win2k-Server-to-Win2012-Server-problems.html
Also there is an article on how to migrate SBS2K5 to WIn2K8 and Exchange2010
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2881-Migrate-Small-Business-Server-2003-to-Exchange-2010-and-Windows-2008-R2.html
Best Regards.
Salah
there is a lot of solved question in EE, so have a look first then feed back if don't match your case:
https://www.experts-exchange.com/questions/23913804/Active-directory-migration-from-Win-2000-versus-Win-2008-domain.html
https://www.experts-exchange.com/questions/27713251/Windows-2000-to-2003-migration-with-non-integrated-domains.html
https://www.experts-exchange.com/questions/25067890/Backing-up-Windows-2000-Active-Directory-Domain-Controller-and-Restoring-to-test-upgrade-to-2008-AD-DC.html
https://www.experts-exchange.com/questions/22728136/Import-User-Accounts-Settings-From-Windows-2000-AD-to-Windows-2003-AD.html
https://www.experts-exchange.com/questions/28122028/AD-2000-2003-to-AD-2012-migration.html
https://www.experts-exchange.com/questions/27946693/Upgrading-Win2k-Server-to-Win2012-Server-problems.html
Also there is an article on how to migrate SBS2K5 to WIn2K8 and Exchange2010
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2881-Migrate-Small-Business-Server-2003-to-Exchange-2010-and-Windows-2008-R2.html
Best Regards.
Salah
ASKER
Update
i have created a VM on one of our 08r2 servers (which main role is SSAS), promoted it an have been watching the event viewer for errors - which there were none :)
now, the old 2000 DC is also our DNS server, if i transfer the FSMO roles to the new 08r2 can i leave the DNS on 2000, then when im able to promote the 12r2 servers i can then shift DNS onto them - if that makes sense?
thanks for the suggestions so far, they have been great...
i have created a VM on one of our 08r2 servers (which main role is SSAS), promoted it an have been watching the event viewer for errors - which there were none :)
now, the old 2000 DC is also our DNS server, if i transfer the FSMO roles to the new 08r2 can i leave the DNS on 2000, then when im able to promote the 12r2 servers i can then shift DNS onto them - if that makes sense?
thanks for the suggestions so far, they have been great...
Usually no. The issue is that your DNS zones are likely AD integrated so demoting the 2000 server will break them. You could go through hoops to change them and set up zone transfers, but at that point you might as well have just moved DNS to the new server anyways.
ASKER
the only issue with moving the dns to another box (which i will have to move again) is changing all the clients - we only have 50 users, but they are spread over a massive factory
looking at domain properties (in DNS - 2000) under general it states "Active Directory - integrated"
when i promoted the 08r2 box, i also made it a DNS server - this has already propagated from the 2000 server
do i now need to point the clients at the "new" dns server?
looking at domain properties (in DNS - 2000) under general it states "Active Directory - integrated"
when i promoted the 08r2 box, i also made it a DNS server - this has already propagated from the 2000 server
do i now need to point the clients at the "new" dns server?
Yes.
ASKER
Update
moved all the clients to point to new DNS server
if any clients arn't pointing at the new server when i demote the old DC (which was the old DNS server) what is likely to happen?
thanks
moved all the clients to point to new DNS server
if any clients arn't pointing at the new server when i demote the old DC (which was the old DNS server) what is likely to happen?
thanks
Well, it is DNS. So almost everything would break.
ASKER
right, all clients are not pointing at new DNS
(and are confirmed pointing at new DC & DNS)
i have just gone to demote the old 2000 server
ran > dcpromo
and got
"The operations failed because:
A domain controller could not be contacted for the domain hello.ds that contained an account for this computer. Make a computer a member of a workgroup then rejoin the domain before retrying the promotion"
found its because the 2000 server had its self as its preferred dns server, changed this to the 2008r2 server an its not running the demotion....
(and are confirmed pointing at new DC & DNS)
i have just gone to demote the old 2000 server
ran > dcpromo
and got
"The operations failed because:
A domain controller could not be contacted for the domain hello.ds that contained an account for this computer. Make a computer a member of a workgroup then rejoin the domain before retrying the promotion"
found its because the 2000 server had its self as its preferred dns server, changed this to the 2008r2 server an its not running the demotion....
ASKER
Update
i have successfully removed the server 2000 DC
we are all still able to log onto the domain!! :)
im now tryign to configure the 12R2 server to be a DC, installed Active Directory Domain Services, when that was finished clicked on the yellow flag (in server manager) to promote server as a DC, as it begins to load it fails with
"Verification of replica failed. The forest functional Level is Windows 2000. To install Server 2012 R2 the forest must be 2003 or higher"
if i go to the 2008R2 DC, right click on the domain within Domains & trusts - it states the domain level is 2008 R2!?
anyone help please
thanks
i have successfully removed the server 2000 DC
we are all still able to log onto the domain!! :)
im now tryign to configure the 12R2 server to be a DC, installed Active Directory Domain Services, when that was finished clicked on the yellow flag (in server manager) to promote server as a DC, as it begins to load it fails with
"Verification of replica failed. The forest functional Level is Windows 2000. To install Server 2012 R2 the forest must be 2003 or higher"
if i go to the 2008R2 DC, right click on the domain within Domains & trusts - it states the domain level is 2008 R2!?
anyone help please
thanks
Domain Functional Level and *FOREST* Functional Level are two *different* things. You have to bump them *both* up. As the error indicates, the forest is still 2000. And your description shows you only checked the domain.
ASKER
fantastic cheers guys, all sorted!
ASKER
i forgot to add, we already have a few 08r2 machines hanging around already, could I promo them, demote the y2k, upgrade the functional level, then promo the 12r2 servers?
demote 08 server, then upgrade the functional level to 12r2
would that work?
can this be done in a live environment, or best to do at twilight?
thanks