Upgrading the Domain/Forest functionality level caveats and tips ?

Hi All,

I'm about to perform Domain and Forest Functionality level upgrade from Windows Server 2003 into WIndows Server 2012 R2 if possible, but I wonder what are the caveats and pitfalls ?

Note:

Single domain AD forest
4x Exchange Server 2010 SP3 OnPremise soon to be migrated to Office 365 in a few months.
2x Windows Server 2012 R2 Domain Controllers FSMO role holder (PDC, RID & Infrastructure master)
6x  Windows Server 2008 R2 Domain Controllers (Schema & Domain naming master)

I reckon that there is no roll back plan because this process cannot be rolled back.
LVL 9
Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Senior IT System EngineerIT ProfessionalAuthor Commented:
Do I need to reboot the Exchange Server or just restart some services which can cause email flow outage ?
0
Mahmoud SabryCommented:
to migrate the forest function level to windows server 2012 R2, you must first demote all windows 2008, 2003 domain controllers from the forest, then you will be able to raise the forest functional level to windows server 2012 R2

just take in consideration that you point all clients/servers DNS settings in the domain to the new windows 2012 DNS/DCs

for test purpuses, after you change all the DNS settings for all machines to the new DNS Servers, and before  you demote the 2003&2008 Domain controllers, you can shutdown these servers temporary for some hours and check if you face any problems
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
Ah i see, so I will go to 2008R2 in this case because I still have some windows 2008 R2 as domain controllers
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

arnoldCommented:
Yes, that is the most important caveat, the forest/domain functional level can be as high as the version of an existing DC.


Rollback is a difficult/time consuming but not impossible. Backup of AD data/sysvol.

Have you already transitioned the sysvol from ntfres to dfs-R?

https://technet.microsoft.com/en-us/library/Dd640019%28v=WS.10%29.aspx
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
No I haven't transfer it because I do not know why I must use DFS ?

Is there any requirement ?
0
arnoldCommented:
ntfrs is an older technology and is constrained. if you use software deployment ntfrs is more suseptible to getting out of whack leading to data replication issues.
Not sure how long NTFRS will be supported (requires the install of the windows 2003 fileserver services)
Since your lowest OS is 2008, the possibility is highly probable that when you go through your upgrade cycle next, the sysvol replication will be the furthest from your mind when you discover that the newly deployed DC does not have sysvol not the netlogon share.

AD sysvol and netlogon are actually dfs shares (\\addomain\sysvol and \\addomain\netlogon) where the targets are the Domain controllers.
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
Hi Arnold and Mahmoud,

I have already turned off the old Windows Server 2003 machine & VMs in my single AD domain forest.
So before I performthe simple right click functional level upgrade, I just wondering why do I need to migrate the NTFRS

1.

Open Active Directory Domains and Trusts from the Administrative Tools folder.

2.

In the console pane of the Active Directory Domains and Trusts window, right-click the name of the domain for which you are migrating the SYSVOL folder, and then click Raise Domain Functional Level.

3.

In the Raise domain functional level dialogue box, in the Select an available domain functional level list, click Windows Server 2008, and then click Raise.

3.

In the warning message that mentions that raising the domain functional level affects the entire domain and cannot be reversed, click OK.

4.

In the confirmation message that indicates that raising the domain functional level succeeded, click OK.
Why in step #2 above is required to migrate the SYSVOL to somewhere else ?
0
arnoldCommented:
you do not have to as part of raising forest/domain level given windows 2012 still has support for ntfrs replication of sysvol.
I would recommend performing the migration sooner rather than later to avoid complications down the line.

https://msdn.microsoft.com/en-us/library/windows/desktop/ff384840%28v=vs.85%29.aspx
1
Senior IT System EngineerIT ProfessionalAuthor Commented:
Ah I see, so I guess, I can just  follow the 4 steps I described above to upgrade the domain/forest level during the business hours.

Source: https://technet.microsoft.com/en-us/library/cc730985.aspx

After that I will need to restart the Kerberos Key Distribution Center service in all Domain Controllers one by one.

is that correct ?
0
arnoldCommented:
keep that in mind, or you can as outlined restart the KDC upon completing the raise.
1
Senior IT System EngineerIT ProfessionalAuthor Commented:
ok, now as for executing the Domain/Forest Functional level raise, where should I execute it from:

Windows Server 2008 R2 DC or from the Windows Server 2012 R2 DC into Windows Server 2008R2 straight away jumping from WIndows 2003 ?
0
arnoldCommented:
You should run it on the Master dc.
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
Do you mean for my Infrastructure Master role holder DC ?

To raise the both Forest and Domain level to 2008R2 straight away?
0
Will SzymkowskiSenior Solution ArchitectCommented:
Raise the domain first from the DC holding the PDC/RID/InfrastructureMaster then raise the Forest next from the DC holding the Schema master role.

ensure that replicaiton is good using the following commands...
repadmin /replsum
repadmin /showrepl
repadmin /bridgeheads
DCDiag /v

Another thing to note as well becasue you have Exchange in your environment you need should also check out the Exchange supportability matrix as well.

Exchange 2010 requires SP3 and RU5 (or higher) to be install on all of the Exchange servers before you raise the domain/forest. If you have not done so already then you need to install the RU5 or above first.

See the supportibility matrix below.
https://technet.microsoft.com/library/ff728623(v=exchg.150).aspx

Will.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Senior IT System EngineerIT ProfessionalAuthor Commented:
Will,

Many thanks for the update, however, I'm quite surprised that you mentioned about updating Rollup Update on Exchange Server 2010 SP3.

yes, I have On-Premise Exchange Server 2010 that I have just upgraded to SP3 few months ago, our current DFL/FFL is still on Windows Server 2003 and it is working without any issue ?

I have no plan to implement Exchange Server 2010 SP3 Update Rollup 10 (KB3049853) because everything is still working fine with no issue.

Is it really necessary to apply P3 Update Rollup 10 (KB3049853)as above just before raising the DFL/FFL into Windows Server 2008R2 ?
0
Will SzymkowskiSenior Solution ArchitectCommented:
have no plan to implement Exchange Server 2010 SP3 Update Rollup 10 (KB3049853) because everything is still working fine with no issue.

I stated

Will: Exchange 2010 requires SP3 and RU5 (or higher) to be install on all of the Exchange servers before you raise the domain/forest.

Look at the link i provided for Forest/Domain functional level requirements. You need to be at least on RU5 (not 10) for your Exchange servers).

If you want things to work smoothly and be compliant, then install RU5 or higher.

Will.
1
SteveCommented:
Will's right. If you raise domain/forest levels without the appropriate updates on the exchange you are risking issues. If Microsoft say those updates are required you should plan to install them before making changes.

Raise the domain first from the DC holding the PDC/RID/InfrastructureMaster then raise the Forest next from the DC holding the Schema master role.
minor note: allow time for replication between each step to ensure changes have been passed around all DCs before making further changes.
1
Senior IT System EngineerIT ProfessionalAuthor Commented:
Ah yes, I see:

So during the waiting time, what and how should I check so I know when to proceed the next steps ?
0
SteveCommented:
Will's advice is spot on for this.

ensure that replicaiton is good using the following commands...
 repadmin /replsum
 repadmin /showrepl
 repadmin /bridgeheads
 DCDiag /v

Plus you can open AD on various DCs to make sure they all report the same domain/forest levels etc.
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks !
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.