willp2
asked on
Can't raise Windows 2003 AD functional level
Hello, I'm trying to replace / migrate a 2003 AD to a 2012R2 AD. On the 2003 server I've run AD Prep and upgraded the forest, domain, etc. It shows that it has been upgraded and all is well. But when I go to Active Directory Users and Computers and try to raise the functional level, it just shows that the current domain level is 2003 and a message that says "The domain is operating at the highest possible functional level"
Not sure where to go with it as everything looks right, but I just don't have the option to raise the level. Any ideas would be appreciated.
Thanks
domain-message.jpg
Not sure where to go with it as everything looks right, but I just don't have the option to raise the level. Any ideas would be appreciated.
Thanks
domain-message.jpg
Guy Lidbetter
Have you decommissioned the 2003 DC? A domain can only be as high as its lowest DC version.
ASKER
No, I can't decommission it as I need to get it migrated to a 2012R2 server. The 2012R2 server won't let it become ad DC until the AD is upgraded to 2012R2.
That is not true. You can add a 2012R2 DC to an existing Windows Server 2003 domain so long as the Forest and Domain Functional Levels are at a minimum Windows Server 2003.
https://technet.microsoft.com/library/understanding-active-directory-functional-levels(WS.10).aspx
There must be another issue. What is the error you receive when adding the Active Directory Services Role to the 2012 server?
-saige-
https://technet.microsoft.com/library/understanding-active-directory-functional-levels(WS.10).aspx
There must be another issue. What is the error you receive when adding the Active Directory Services Role to the 2012 server?
-saige-
AH sorry, you said 2012R2... you'll need to step up to 2012 from 2008 first because of schema changes...
So unfortunately you will need to do the following...
Build a 2008 server, don't join the domain yet!!! ... run /ADPREP then join the 2008 server and DCpromo up.
Then build a 2012 R2 server... don't join yet!!! ... run /ADPREP then join the 2012 R2 server and DCpromo up.
Transfer all FSMO roles and any other roles (DHCP, DNS, WINS etc) then Decomm 2003 and 2008 boxes... raise functional level.
So unfortunately you will need to do the following...
Build a 2008 server, don't join the domain yet!!! ... run /ADPREP then join the 2008 server and DCpromo up.
Then build a 2012 R2 server... don't join yet!!! ... run /ADPREP then join the 2012 R2 server and DCpromo up.
Transfer all FSMO roles and any other roles (DHCP, DNS, WINS etc) then Decomm 2003 and 2008 boxes... raise functional level.
@ -saige- You are mistaken there. Server 2012..... yes, 2012 R2 No.....
This is wrong Guy. Schema changes are cumulative. The only stipulation to join a 2012 server to an existing domain is that the Domain and Forest Levels be set to Windows Server 2012.
-saige-
-saige-
The only stipulation to join a 2012 server to an existing domain is that the Domain and Forest Levels be set to Windows Server 2012.
And how do you do that with only a 2003 DC???
Microsoft seems to disagree with you Guy and I have added 2012 R2 servers to an existing 2003 domain without needing a 2008 server myself (as have many others here):
Source
-saige-
Source-saige-
How about a Microsoft Blog that disagree's with you as well:
http://blogs.technet.com/b/canitpro/archive/2013/05/05/step-by-step-adding-a-windows-server-2012-domain-controller-to-an-existing-windows-2003-network.aspx
-saige-
http://blogs.technet.com/b/canitpro/archive/2013/05/05/step-by-step-adding-a-windows-server-2012-domain-controller-to-an-existing-windows-2003-network.aspx
-saige-
Head down... I stand corrected....
I previously had this very same issue and was unable to specifically go directly to 2012 R2 from 2003. I have done numerous 2012's though... However there seems to be a lot of info going against me!!
Apologies Saige! All yours!
( By the way... that last link already has a 2008 Schema as I suggested... check the pic for raising th functional level....)
I previously had this very same issue and was unable to specifically go directly to 2012 R2 from 2003. I have done numerous 2012's though... However there seems to be a lot of info going against me!!
Apologies Saige! All yours!
( By the way... that last link already has a 2008 Schema as I suggested... check the pic for raising th functional level....)
Not a problem Guy, you most likely ran into a (at least now) known issue:
When adding a Windows Server 2012 to a Windows Server 2003 only domain, there are a couple of potential gotcha's to be on the lookout for:
1. You may have to modify the component services on the 2003 DC before ADPREP will successfully run:
http:/Q_28584877.html#a40514872
2. Kerberos authentication can fail intermittently (Microsoft has a hotfix for this issue) -
http://blogs.technet.com/b/askds/archive/2014/07/23/it-turns-out-that-weird-things-can-happen-when-you-mix-windows-server-2003-and-windows-server-2012-r2-domain-controllers.aspx
-saige-
When adding a Windows Server 2012 to a Windows Server 2003 only domain, there are a couple of potential gotcha's to be on the lookout for:
1. You may have to modify the component services on the 2003 DC before ADPREP will successfully run:
http:/Q_28584877.html#a40514872
2. Kerberos authentication can fail intermittently (Microsoft has a hotfix for this issue) -
http://blogs.technet.com/b/askds/archive/2014/07/23/it-turns-out-that-weird-things-can-happen-when-you-mix-windows-server-2003-and-windows-server-2012-r2-domain-controllers.aspx
-saige-
ASKER
I have upgraded other ADs to a higher functional level before without needing to have the newer DC. Not sure I ever went from 2003 to 2012R2 before, but I have gone up. In this case its odd that adprep is showing that everything is upgraded, but I don't get the option to actually change the functional level.
In the past we run adprep, raise the functional level, add the new DC and we're good to go. In this case I just never get the option raise the level.
What am I missing?
In the past we run adprep, raise the functional level, add the new DC and we're good to go. In this case I just never get the option raise the level.
What am I missing?
Interesting note:
Following the links in the page - http://technet.microsoft.com/en-us/library/dn303411.aspx - will lead you to here - https://technet.microsoft.com/library/hh994618.aspx - where beneath "What's new in AD DS in Windows Server 2012 R2" - "Depreciation of FRS" states that -
"The Windows Server 2003 domain functional level is also deprecated because at the functional level, FRS is used to replicate SYSVOL. That means when you create a new domain on a server that runs Windows Server 2012 R2, the domain functional level must be Windows Server 2008 or newer. You can still add a domain controller that runs Windows Server 2012 R2 to an existing domain that has a Windows Server 2003 domain functional level; you just can't create a new domain at that level."
Following the links in the page - http://technet.microsoft.com/en-us/library/dn303411.aspx - will lead you to here - https://technet.microsoft.com/library/hh994618.aspx - where beneath "What's new in AD DS in Windows Server 2012 R2" - "Depreciation of FRS" states that -
"The Windows Server 2003 domain functional level is also deprecated because at the functional level, FRS is used to replicate SYSVOL. That means when you create a new domain on a server that runs Windows Server 2012 R2, the domain functional level must be Windows Server 2008 or newer. You can still add a domain controller that runs Windows Server 2012 R2 to an existing domain that has a Windows Server 2003 domain functional level; you just can't create a new domain at that level."
You cannot move the Forest and Domain functional levels above the lowest supported operating system of the current Forest and Domain functional levels so long as that operating system exists within the Forest/Domain as a Domain Controller (you can, however, have member servers of *any* operating system within the domain as long as the operating system on the member server supports active directory membership).
In other words -
With the following setup: Windows 2000 server (member server), Windows 2003 server (Domain controller) and Windows 2012R2 server (Domain controller) - my Domain and Forest Functional Levels must be set to Windows Server 2003 (no lower, no higher).
However, with this setup: Windows 2000 server (member server), Windows 2003 server (member server) and Windows 2012R2 server (Domain controller) - my Domain and Forest Functional Levels can be set to anything from Windows Server 2003 all the way up to Windows Server 2012R2.
-saige-
In other words -
With the following setup: Windows 2000 server (member server), Windows 2003 server (Domain controller) and Windows 2012R2 server (Domain controller) - my Domain and Forest Functional Levels must be set to Windows Server 2003 (no lower, no higher).
However, with this setup: Windows 2000 server (member server), Windows 2003 server (member server) and Windows 2012R2 server (Domain controller) - my Domain and Forest Functional Levels can be set to anything from Windows Server 2003 all the way up to Windows Server 2012R2.
-saige-
You may have to decomm before raising the level with 2012, it is best practice to only ever be at the level of your lowest version...
Many changes have been made, you don't even have to run adprep anymore as its handled by the wizard. This may well be just one of those things...
Many changes have been made, you don't even have to run adprep anymore as its handled by the wizard. This may well be just one of those things...
ASKER
I just rebooted everything and it looks like I'm past this now. Sorry I should have tried that first.
On to other issues with getting the migration to happen, but at least now it will let me try to dcpromo the new server.
Now getting the following on the pre -req checks:
"Verification of prerequisites for Active Directory preparation failed. Unable to perform Exchange schema conflict check for domain bigdomain.local.
Exception: Initialization failure.
Adprep could not retrieve data from the server server.bigdomain.local through Windows Management Instrumentation (WMI).
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\lo
Anyone have any insight on this?
Thanks again
On to other issues with getting the migration to happen, but at least now it will let me try to dcpromo the new server.
Now getting the following on the pre -req checks:
"Verification of prerequisites for Active Directory preparation failed. Unable to perform Exchange schema conflict check for domain bigdomain.local.
Exception: Initialization failure.
Adprep could not retrieve data from the server server.bigdomain.local through Windows Management Instrumentation (WMI).
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\lo
Anyone have any insight on this?
Thanks again
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Lol Saige !! - so you've had this argument before!!
I've gone back through my old notes and the issue we had with the migration from 2003 to 2012 R2 was a failed schema update and part of the Microsoft support guys instructions was the interim /adprep and promo of the 2008 controller.
Interestingly enough this was his suggested path due to changes in 2012 R2 specifically, there are a number of pitfalls (as you've seen and mentioned) that are avoided with the 2008 step up route.
I'm assuming due to the issue we already had, he was trying to avoid any further complications.
Also worth mentioning... I spooled up a test env last night and successfully upgraded straight from 2003 to 2012 R2 with no hiccups at all...
I've gone back through my old notes and the issue we had with the migration from 2003 to 2012 R2 was a failed schema update and part of the Microsoft support guys instructions was the interim /adprep and promo of the 2008 controller.
Interestingly enough this was his suggested path due to changes in 2012 R2 specifically, there are a number of pitfalls (as you've seen and mentioned) that are avoided with the 2008 step up route.
I'm assuming due to the issue we already had, he was trying to avoid any further complications.
Also worth mentioning... I spooled up a test env last night and successfully upgraded straight from 2003 to 2012 R2 with no hiccups at all...
@Guy - I may have posted information regarding adding a 2012R2 DC to an all 2003DC domain once or twice in the past. ;)
-saige-
-saige-