Link to home
Start Free TrialLog in
Avatar of mudcow007
mudcow007Flag for United Kingdom of Great Britain and Northern Ireland

asked on

Server 2000 DC moving to Server 2012R2 - forest functional level

hello, we have a domain containing one DC (other DC failed) which is running server 2000, the domain functional level is 2000

the 2000 server is the last to be replaced in our domain, everythign else is using Server 2012/ 2012R2

i have two brand new 2012 servers that i want to take over the running of the domain, i have just tried to promo one of the new servers an hit an error

"Verification of replica failed. the forest functional level is Windows 2000. To install Windows Server 2012 R2 domain or domain controller, the forest functional level must be Windows Server 2003 or higher"

now, will the existing DC (W2k) upgrade the domain functional level to 2003 - if so how can i do it without effect domain services

ideas?
ASKER CERTIFIED SOLUTION
Avatar of Cliff Galiher
Cliff Galiher
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of mudcow007

ASKER

cheers Cliff

 i forgot to add, we already have a few 08r2 machines hanging around already, could I promo them, demote the y2k, upgrade the functional level, then promo the 12r2 servers?

demote 08 server, then upgrade the functional level to 12r2

would that work?

can this be done in a live environment, or best to do at twilight?

thanks
In a vacuum, yes what you propose would work.

HOWEVER!!!!

Anybody who has 2008 R2 machines "hanging around" probably has them doing stuff. If they are sitting idle, I'd ask what is the point of that?  A machine that you have to patch, maintain, still may have vulnerabilities (every OS ever has them) so sitting idle is a security concern to be sure.  So....let's assume these machines actually have workloads.  Will those workloads like the machine suddenly being a DC?  Probably not. MOST workloads will fall over because of the underlying changes a DC makes to the local security landscape.  

As far as whether it can be done in a live environment, possibly. But certainly not all at once. Because this is your only DC, if you demote it too soon after introducing the new one, you'll introduce challenges with clients finding the new DC given the default TTL in windows DNS and potential DHCP lease changes you'll also have to make. You are looking at introducing incremental changes spanning weeks. Not one big-bang deployment.
Update

i have created a VM on one of our 08r2 servers (which main role is SSAS), promoted it an have been watching the event viewer for errors - which there were none :)

now, the old 2000 DC is also our DNS server, if i transfer the FSMO roles to the new 08r2 can i leave the DNS on 2000, then when im able to promote the 12r2 servers i can then shift DNS onto them - if that makes sense?

thanks for the suggestions so far, they have been great...
Usually no. The issue is that your DNS zones are likely AD integrated so demoting the 2000 server will break them. You could go through hoops to change them and set up zone transfers, but at that point you might as well have just moved DNS to the new server anyways.
the only issue with moving the dns to another box (which i will have to move again) is changing all the clients - we only have 50 users, but they are spread over a massive factory

looking at domain properties (in DNS - 2000) under general it states "Active Directory - integrated"

when i promoted the 08r2 box, i also made it a DNS server - this has already propagated from the 2000 server

do i now need to point the clients at the "new" dns server?
Update

moved all the clients to point to new DNS server

if any clients arn't pointing at the new server when i demote the old DC (which was the old DNS server) what is likely to happen?

thanks
Well, it is DNS. So almost everything would break.
right, all clients are not pointing at new DNS

(and are confirmed pointing at new DC & DNS)

i have just gone to demote the old 2000 server

ran > dcpromo

and got

"The operations failed because:
 A domain controller could not be contacted for the domain hello.ds that contained an account for this computer. Make a computer a member of a workgroup then rejoin the domain before retrying the promotion"

found its because the 2000 server had its self as its preferred dns server, changed this to the 2008r2 server an its not running the demotion....
Update

i have successfully removed the server 2000 DC

we are all still able to log onto the domain!! :)

im now tryign to configure the 12R2 server to be a DC, installed Active Directory Domain Services, when that was finished clicked on the yellow flag (in server manager) to promote server as a DC, as it begins to load it fails with

"Verification of replica failed. The forest functional Level is Windows 2000. To install Server 2012 R2 the forest must be 2003 or higher"

if i go to the 2008R2 DC, right click on the domain within Domains & trusts - it states the domain level is 2008 R2!?

anyone help please

thanks
Domain Functional Level and *FOREST* Functional Level are two *different* things. You have to bump them *both* up. As the error indicates, the forest is still 2000. And your description shows you only checked the domain.
fantastic cheers guys, all sorted!