Elevating Domain functional level

Posted on 2016-08-16
Medium Priority
1 Endorsement
Last Modified: 2016-09-02
hi guys

We have an environment with two Windows 2003 servers in remote sites that talk to one another via VPN. Today I went to incorporate a new Windows 2012 R2 server in the hope that I could get rid of one of the old servers. But no, it couldn't be simple could it? The current functional level is set to Windows 2000 so I had to stop the upgrade as it couldn't go further.

If I went ahead and elevated the domain functional level to Windows 2003 are there any risks?

What steps would you take?

Thank you
Question by:Yashy
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 41758575
Only if you have existing DCs running server 2000
LVL 96

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 1000 total points
ID: 41758579
It can't be simple jumping 5 versions.

Provided you have no more 2000 DCs on the network, you shouldn't have any issues upgrade the domain and forest functional levels to 2003.  However, there can be a host of other issues and you may find it easier to migrate to 2008 R2 FIRST, then migrate to 2012R2.  (You really should wait 11 years to upgrade your network - VERY problematic).  

If you don't have experience doing this, I suggest you setup a test environment and spend a few weeks learning Active Directory and the changes 2012 requires and what to expect.  If you don't have the time to waste doing that, I suggest you hire professionals to handle this for you.

Author Comment

ID: 41758584
Thanks for the feedback guys.

I actually had this passed down to me in the company. This is because the environment is for our shops. We have over 400 Windows XP tills etc which talk to these DC's.

I got the Windows 2012 R2 in order to set up AD with a Windows 2003 functional level. However, seeing as have two DC's running Windows 2003 but on a 2000 functional level it has become a hassle. I went ahead with DCPromo, but this ended the situation and I didn't go ahead and wanted to ask you guys first.

I know AD, however I have not tried to elevate it from something so old hence my question.
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

LVL 40

Accepted Solution

footech earned 1000 total points
ID: 41758597
Speaking of just raising the functional level from 2000 to 2003.
Just run checks to verify things are healthy first (like dcdiag, repadmin).  I've never heard of raising the level causing a problem, only potentially exposing a problem that already existed.

Expert Comment

by:Abraham O'Driscoll
ID: 41758622
Be very, very careful as this is a one way street procedure.

I would highly recommend doing it in stages, and two over the course of two months so that way you don't do a huge jump and encounter compatibility issues with applications.

2000 to 2003  (No DCs Running 2000)
2003 to 2008 R2 (No DCs Running 2003)
2008 R2 - 2012 R2 (No DCs Running 2008 R2)

Have a read of the technet article


As @LeeW Suggested please for the love that is all holy, take a copy of the environment if you can and do a simulated upgrade so you know what to watch for.  

I am going to irritate that this is a one way procedure and can go very wrong if you rush through it.
LVL 96

Expert Comment

by:Lee W, MVP
ID: 41758642
If you know AD, then you know raising the domain and forest functional levels from 2000 to 2003 is not generally a problem.

You should also know to run DCDIAG /C /E /V prior to performing any kind of maintenance on AD and / or adding or removing DCs.  And you should know to check DC replication with REPADMIN /SHOWREPL also before doing anything.  You should know to test this in a test environment first.  Asking a question is great... but especially a network of 400 machines (also horribly outdated), you should know these things.

If not, you don't have to admit it to us... but admit it to yourself and that it would be foolish IF YOU DON'T KNOW THESE THINGS for you to be the one proceeding.  If you DON'T know these things for the sake of your job and your company, go to your boss and TELL HIM you are not qualified to do this alone and you need professional expert help... not just in terms of being able to ask questions.

Knowing WHAT to do is just as important in knowing what NOT to do.  Just because it looks like you are able to do something doesn't mean you should do it.  Another thing you should know.

My opinion.
Good Luck.

Expert Comment

by:Senior IT System Engineer
ID: 41758685

let us know how it goes.
LVL 23

Expert Comment

ID: 41758772
Not to disparage your knowledge of AD, but from the way you online your question you do not seem to have a solid grasp on this technology. You mentioned the reason you are adding a 2012 DC to your environment is to get to a 2003 FL and DL.  This component is not needed to get to 2003 level, but is needed for. 2013 level. I feel strongly with what Lee recommends and it would be better seeking assistance rather than doing this solo. This can be a great learning experience working with an expert.  You do not want to break this because you missed a step or neglected a check which server is responsible for which FSMO role.

Author Closing Comment

ID: 41781394
Hi guys,

It was very simple to do. We didn't have any Windows 2000 domain controllers in the first place.

Secondly, I checked for which DC had the FSMO roles. The one Domain Controller which is proving problematic had 1 role and that was the Schema Master role.

This is the step by step I took in order for the Domain Functional level to go from Windows 2000 to Windows 2003.

Step 1.

Do a backup of the System state of ALL DC's using the Windows Backup Utility.

Step 2.

Find out which DC has which FSMO roles by opening the command prompt on a DC and running 'NetDOM /query FSMO'. In my case, the problematic server had the Schema Master role. So, I transferred that across to the other Domain Controller with  4 roles.

Step 3.

Go to start-> Run. In there type 'regsvr32 schmmgmt.dll'. Press OK. You should receive a success confirmation.

a. From the Run command open an MMC Console by typing MMC.

b. On the Console menu, press Add/Remove Snap-in.

c. Press Add. Select Active Directory Schema.

d. Press Add and press Close. Press OK.

e. If you are NOT logged onto the target domain controller, in the snap-in, right-click the Active Directory Schema icon in the Console Root and press Change Domain Controller.

f. Press Specify …. and type the name of the new role holder. Press OK.

g. Right-click right-click the Active Directory Schema icon again and press Operation Masters.

Press the Change button.

Press OK all the way out.

Step 4.

Once this was done, I literally went to our problematic domain controller (didn't have to be this one, could have been another DC too) and raised the domain functional level by going into Active Directory Users & Computers and right clicking on the domain name and selecting 'Raise domain functional level'. I selected 2003 and that was it.

I then ensured that this had replicated across to our other sites also by checking the other DC's. It had.

Sorry it took me a while to respond, I was away on holiday. But I thought I would at least share my steps with you.


Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question