Link to home
Start Free TrialLog in
Avatar of Yashy
YashyFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Elevating Domain functional level

hi guys

We have an environment with two Windows 2003 servers in remote sites that talk to one another via VPN. Today I went to incorporate a new Windows 2012 R2 server in the hope that I could get rid of one of the old servers. But no, it couldn't be simple could it? The current functional level is set to Windows 2000 so I had to stop the upgrade as it couldn't go further.

If I went ahead and elevated the domain functional level to Windows 2003 are there any risks?

What steps would you take?

Thank you
Yashy
Avatar of Stuart
Stuart
Flag of United Kingdom of Great Britain and Northern Ireland image

Only if you have existing DCs running server 2000
SOLUTION
Avatar of Lee W, MVP
Lee W, MVP
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Yashy

ASKER

Thanks for the feedback guys.

I actually had this passed down to me in the company. This is because the environment is for our shops. We have over 400 Windows XP tills etc which talk to these DC's.

I got the Windows 2012 R2 in order to set up AD with a Windows 2003 functional level. However, seeing as have two DC's running Windows 2003 but on a 2000 functional level it has become a hassle. I went ahead with DCPromo, but this ended the situation and I didn't go ahead and wanted to ask you guys first.

I know AD, however I have not tried to elevate it from something so old hence my question.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Be very, very careful as this is a one way street procedure.

I would highly recommend doing it in stages, and two over the course of two months so that way you don't do a huge jump and encounter compatibility issues with applications.

2000 to 2003  (No DCs Running 2000)
2003 to 2008 R2 (No DCs Running 2003)
2008 R2 - 2012 R2 (No DCs Running 2008 R2)

Have a read of the technet article

https://technet.microsoft.com/en-us/library/cc771949(v=ws.10).aspx 
https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx

As @LeeW Suggested please for the love that is all holy, take a copy of the environment if you can and do a simulated upgrade so you know what to watch for.  

I am going to irritate that this is a one way procedure and can go very wrong if you rush through it.
If you know AD, then you know raising the domain and forest functional levels from 2000 to 2003 is not generally a problem.

You should also know to run DCDIAG /C /E /V prior to performing any kind of maintenance on AD and / or adding or removing DCs.  And you should know to check DC replication with REPADMIN /SHOWREPL also before doing anything.  You should know to test this in a test environment first.  Asking a question is great... but especially a network of 400 machines (also horribly outdated), you should know these things.

If not, you don't have to admit it to us... but admit it to yourself and that it would be foolish IF YOU DON'T KNOW THESE THINGS for you to be the one proceeding.  If you DON'T know these things for the sake of your job and your company, go to your boss and TELL HIM you are not qualified to do this alone and you need professional expert help... not just in terms of being able to ask questions.

Knowing WHAT to do is just as important in knowing what NOT to do.  Just because it looks like you are able to do something doesn't mean you should do it.  Another thing you should know.

My opinion.
Good Luck.
Yashy,

let us know how it goes.
Not to disparage your knowledge of AD, but from the way you online your question you do not seem to have a solid grasp on this technology. You mentioned the reason you are adding a 2012 DC to your environment is to get to a 2003 FL and DL.  This component is not needed to get to 2003 level, but is needed for. 2013 level. I feel strongly with what Lee recommends and it would be better seeking assistance rather than doing this solo. This can be a great learning experience working with an expert.  You do not want to break this because you missed a step or neglected a check which server is responsible for which FSMO role.
Avatar of Yashy

ASKER

Hi guys,

It was very simple to do. We didn't have any Windows 2000 domain controllers in the first place.

Secondly, I checked for which DC had the FSMO roles. The one Domain Controller which is proving problematic had 1 role and that was the Schema Master role.

This is the step by step I took in order for the Domain Functional level to go from Windows 2000 to Windows 2003.

Step 1.

Do a backup of the System state of ALL DC's using the Windows Backup Utility.

Step 2.

Find out which DC has which FSMO roles by opening the command prompt on a DC and running 'NetDOM /query FSMO'. In my case, the problematic server had the Schema Master role. So, I transferred that across to the other Domain Controller with  4 roles.

Step 3.

Go to start-> Run. In there type 'regsvr32 schmmgmt.dll'. Press OK. You should receive a success confirmation.

a. From the Run command open an MMC Console by typing MMC.

b. On the Console menu, press Add/Remove Snap-in.

c. Press Add. Select Active Directory Schema.

d. Press Add and press Close. Press OK.

e. If you are NOT logged onto the target domain controller, in the snap-in, right-click the Active Directory Schema icon in the Console Root and press Change Domain Controller.

f. Press Specify …. and type the name of the new role holder. Press OK.

g. Right-click right-click the Active Directory Schema icon again and press Operation Masters.

Press the Change button.

Press OK all the way out.

Step 4.

Once this was done, I literally went to our problematic domain controller (didn't have to be this one, could have been another DC too) and raised the domain functional level by going into Active Directory Users & Computers and right clicking on the domain name and selecting 'Raise domain functional level'. I selected 2003 and that was it.

I then ensured that this had replicated across to our other sites also by checking the other DC's. It had.


Sorry it took me a while to respond, I was away on holiday. But I thought I would at least share my steps with you.


Thanks
Yash