Elevating Domain functional level

Posted on 2016-08-16
1 Endorsement
Last Modified: 2016-09-02
hi guys

We have an environment with two Windows 2003 servers in remote sites that talk to one another via VPN. Today I went to incorporate a new Windows 2012 R2 server in the hope that I could get rid of one of the old servers. But no, it couldn't be simple could it? The current functional level is set to Windows 2000 so I had to stop the upgrade as it couldn't go further.

If I went ahead and elevated the domain functional level to Windows 2003 are there any risks?

What steps would you take?

Thank you
Question by:Yashy

Expert Comment

ID: 41758575
Only if you have existing DCs running server 2000
LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 250 total points
ID: 41758579
It can't be simple jumping 5 versions.

Provided you have no more 2000 DCs on the network, you shouldn't have any issues upgrade the domain and forest functional levels to 2003.  However, there can be a host of other issues and you may find it easier to migrate to 2008 R2 FIRST, then migrate to 2012R2.  (You really should wait 11 years to upgrade your network - VERY problematic).  

If you don't have experience doing this, I suggest you setup a test environment and spend a few weeks learning Active Directory and the changes 2012 requires and what to expect.  If you don't have the time to waste doing that, I suggest you hire professionals to handle this for you.

Author Comment

ID: 41758584
Thanks for the feedback guys.

I actually had this passed down to me in the company. This is because the environment is for our shops. We have over 400 Windows XP tills etc which talk to these DC's.

I got the Windows 2012 R2 in order to set up AD with a Windows 2003 functional level. However, seeing as have two DC's running Windows 2003 but on a 2000 functional level it has become a hassle. I went ahead with DCPromo, but this ended the situation and I didn't go ahead and wanted to ask you guys first.

I know AD, however I have not tried to elevate it from something so old hence my question.
LVL 39

Accepted Solution

footech earned 250 total points
ID: 41758597
Speaking of just raising the functional level from 2000 to 2003.
Just run checks to verify things are healthy first (like dcdiag, repadmin).  I've never heard of raising the level causing a problem, only potentially exposing a problem that already existed.
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.


Expert Comment

ID: 41758622
Be very, very careful as this is a one way street procedure.

I would highly recommend doing it in stages, and two over the course of two months so that way you don't do a huge jump and encounter compatibility issues with applications.

2000 to 2003  (No DCs Running 2000)
2003 to 2008 R2 (No DCs Running 2003)
2008 R2 - 2012 R2 (No DCs Running 2008 R2)

Have a read of the technet article

As @LeeW Suggested please for the love that is all holy, take a copy of the environment if you can and do a simulated upgrade so you know what to watch for.  

I am going to irritate that this is a one way procedure and can go very wrong if you rush through it.
LVL 95

Expert Comment

by:Lee W, MVP
ID: 41758642
If you know AD, then you know raising the domain and forest functional levels from 2000 to 2003 is not generally a problem.

You should also know to run DCDIAG /C /E /V prior to performing any kind of maintenance on AD and / or adding or removing DCs.  And you should know to check DC replication with REPADMIN /SHOWREPL also before doing anything.  You should know to test this in a test environment first.  Asking a question is great... but especially a network of 400 machines (also horribly outdated), you should know these things.

If not, you don't have to admit it to us... but admit it to yourself and that it would be foolish IF YOU DON'T KNOW THESE THINGS for you to be the one proceeding.  If you DON'T know these things for the sake of your job and your company, go to your boss and TELL HIM you are not qualified to do this alone and you need professional expert help... not just in terms of being able to ask questions.

Knowing WHAT to do is just as important in knowing what NOT to do.  Just because it looks like you are able to do something doesn't mean you should do it.  Another thing you should know.

My opinion.
Good Luck.

Expert Comment

by:Senior IT System Engineer
ID: 41758685

let us know how it goes.
LVL 22

Expert Comment

ID: 41758772
Not to disparage your knowledge of AD, but from the way you online your question you do not seem to have a solid grasp on this technology. You mentioned the reason you are adding a 2012 DC to your environment is to get to a 2003 FL and DL.  This component is not needed to get to 2003 level, but is needed for. 2013 level. I feel strongly with what Lee recommends and it would be better seeking assistance rather than doing this solo. This can be a great learning experience working with an expert.  You do not want to break this because you missed a step or neglected a check which server is responsible for which FSMO role.

Author Closing Comment

ID: 41781394
Hi guys,

It was very simple to do. We didn't have any Windows 2000 domain controllers in the first place.

Secondly, I checked for which DC had the FSMO roles. The one Domain Controller which is proving problematic had 1 role and that was the Schema Master role.

This is the step by step I took in order for the Domain Functional level to go from Windows 2000 to Windows 2003.

Step 1.

Do a backup of the System state of ALL DC's using the Windows Backup Utility.

Step 2.

Find out which DC has which FSMO roles by opening the command prompt on a DC and running 'NetDOM /query FSMO'. In my case, the problematic server had the Schema Master role. So, I transferred that across to the other Domain Controller with  4 roles.

Step 3.

Go to start-> Run. In there type 'regsvr32 schmmgmt.dll'. Press OK. You should receive a success confirmation.

a. From the Run command open an MMC Console by typing MMC.

b. On the Console menu, press Add/Remove Snap-in.

c. Press Add. Select Active Directory Schema.

d. Press Add and press Close. Press OK.

e. If you are NOT logged onto the target domain controller, in the snap-in, right-click the Active Directory Schema icon in the Console Root and press Change Domain Controller.

f. Press Specify …. and type the name of the new role holder. Press OK.

g. Right-click right-click the Active Directory Schema icon again and press Operation Masters.

Press the Change button.

Press OK all the way out.

Step 4.

Once this was done, I literally went to our problematic domain controller (didn't have to be this one, could have been another DC too) and raised the domain functional level by going into Active Directory Users & Computers and right clicking on the domain name and selecting 'Raise domain functional level'. I selected 2003 and that was it.

I then ensured that this had replicated across to our other sites also by checking the other DC's. It had.

Sorry it took me a while to respond, I was away on holiday. But I thought I would at least share my steps with you.


Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now