Raising Domain and Forest levels from 2003 to 2008R2 or 2016

Raising Domain and Forest levels from 2003 to 2008R2 or 2016

We have one location.

It has a physical 2008R2 and a VM 2008R2 PDC and BDC
They are set as Domain and Forest functional levels 2003
There are no trust relationships I can see or know about (small possibility of one in past but unlikely and certainly not required)
I have two Hyper V instances of 2016 not joined to the Domain or with any roles

I have run DCdiag /c / e /v and Repadmin /showrpl on both servers along with AD PBA these show no issues. We have no issues with the servers or AD and I have latest updates and they are freshly rebooted last night.

My Plan was to upgrade the 2008R2 servers from 2003 functional levels to 2008R2, reboot recheck overnight. As long as this is OK I would then add the 2016 servers and look to decomission the 2008R2's once the 2016's had been promoted.

Does this all sound simple and relatively low risk? Any other checks or gotchas? This is quite a small simple environment, the only other servers have no DC functions and are 2008R2 terminal services and 2012 running SQL. DNS also looks good and is on PDC.
DurgesAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
Go ahead with your setup
just beware of few things:
if you have XP machines, get rid of those machines as soon as possible before you demote 2008 DCs
If you have 2003 servers in network, they will live with 2016 but try to remove those servers ASAP as you might face issues any time once only 2016 Dcs are there in network

Rest of the plan seems good except do not make hurry to demote 2008 servers until you get surety that no dependency is left on those DC servers
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DurgesAuthor Commented:
I am almost certain there is no XP and there no 2003 servers at all. If I am raising the domain level only to 2008R2 now even on the new servers will the dependency still not be an issue? I mean can i get rid of the 2008 servers as long as the 2016 are still on 2008 functional level?
0
MaheshArchitectCommented:
finally, if you are using NTP synchronization with external time source, you need to move your NTP configuration on NEW 2016 PDC post migration
https://www.experts-exchange.com/questions/28597119/Migrating-the-PDC-FSMO-role-from-Win2003-DC-to-Win2008R2-DC.html
0
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

MaheshArchitectCommented:
if you have all member servers on 2008 and above and workstations on 7 and above, I don't see any issue in removing 2008 DCs keeping 2008 functional level.
2008 functional levels are fully supported for 2016 DC...
0
DurgesAuthor Commented:
Right and I cannot see any real benifit in going beyond 2008R2 functional level at the moment. I am doing that, thanks!
0
DurgesAuthor Commented:
Worked Thanks!

I think it was key making sure all the checks were done and issued were resolved before starting.
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
Domain functional level (DFL) and Forest Functional level (FFL) ONLY impact DCs.  IT doesn't matter if you have XP systems or NON-DC 2003 systems.  They shouldn't have been mentioned.  

IF you have 2003, Vista, or XP systems, then you should be retiring them ASAP because they are out of support (or will be VERY shortly).  Understand that when something goes out of support, it's likely Microsoft isn't thoroughly testing it against new patches and updates (security and non-security) that are released.  This means that while they are not actively trying to break things, a subsequent patch or update MAY result in older, UNSUPPORTED systems experiencing unresolvable problems.  If it works today, it might not tomorrow and there's little you can do short of paying for a VERY expensive extended support contract.  But again, this has NOTHING TO DO with Active Directory Functional Levels.

Once you raise a functional level, it can be difficult to go back (if not impossible).  The functional levels determine the oldest DC in the domain.  When you raise functional levels to 2012 R2, *ALL* DCs must be 2012 R2 or newer.  All NON-DCs can still be 2008, 2008 R2, or 2012 (non-R2).  Likewise for 2016 - all DCs must then be 2016 or later.  You DO NOT have to raise levels to introduce a 2016 DC.  (There is a minimum level, I don't recall at the moment, but I believe it's 2008).  So long as you are at the minimum, you can still add DCs with newer (and older) operating systems provided they are at least at the level of the DFL.
1
MaheshArchitectCommented:
XP/2003 matter only brought in picture as OP is introducing 2016 DCs and he might face issues with XP / 2003 server, in case he face issues would not get any support
as a side note, when 2012 R2 DCs out, I seen the cases where XP machines getting authentication / access issues
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
This still has NOTHING TO DO with FFL/DFL.  Any issues that may be arising are just as likely (more so in my opinion) to stem from using outdated software.  Repeating what I said earlier - XP and 2003 are no longer supported.  This means there are no more patches being publicly issues to correct security and other issues.  As a patch is issued for 2012, 2008, or any other supported operating system, UNSUPPORTED systems don't get it and there could be incompatibilities.  But again, this has NOTHING TO DO with DFL/FFL.
0
DurgesAuthor Commented:
Thanks very much both. Yes I agree functional level should not effect clients am thankful for the clarification on other non dc servers. There are only win7 apart from win 10 clients and 7 will be retired regardless of domain  level. The servers are now 2008r2 and working I just really wanted to get them to that level before moving to 2016. I suppose if the DC migration to 2016 OS goes well I might as well now move to 2016 functional level as it is a small environment and will never have an older DC's added. Thanks again both. 
0
MaheshArchitectCommented:
I have not raised any point related to DFL and FFL
What I said is, you should not have 2003 and XP machines in purely 2016 Domain controller only environment, where DFL and FFL came in picture here?
Further OP has asked if he can keep 2016 DC servers while DFL and FFL remains to 2008?
So, I answered that he can do that, again he should not keep xp/2003 as we don't know how 2016 DCs will behave with those OS in coming time span, where DFL and FFL is issue here and either its not point of debate here

BTW:
Few years back I did one project only to raise functional levels to 2008 R2 for a multi domain forest.
The scope of engagement is to check and ensure all applications are compatible and if can work well with 2008 R2 AD and DFL+ FFL, we have assessed their applications although, there is article where dot net apps might face issues when you raise functional levels as some  parameters getting more secure / stringent we may not or cannot even notice, only MS core folks know better
https://blogs.technet.microsoft.com/askds/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level/
Hence I never recommend to raise DFL and FFL to whatever maximum available currently unless we are trying some feature which absolutely need maximum DFL and FFL as prerequisites
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
Mahesh,

My response to you was regarding your response here:
just beware of few things:
if you have XP machines, get rid of those machines as soon as possible before you demote 2008 DCs
If you have 2003 servers in network, they will live with 2016 but try to remove those servers ASAP as you might face issues any time once only 2016 Dcs are there in network
Demoting 2008 DCs makes no difference - 2008 is still supported.  XP and 2003 should be gone TODAY.  If it still works with 2008 it may not come Wednesday morning (patches release on Tuesday).  Or it may.  XP and 2003 are no longer supported and any implication that raising the DFL or FFL will in some way be dependent upon having those systems is not right.

If it wasn't your intent to imply that, great, but the question asks about DCs and functional level and mentioning member servers and workstations does little more than complicate the question in my opinion.

I never recommend to raise DFL and FFL to whatever maximum available currently unless we are trying some feature which absolutely need maximum DFL and FFL as prerequisites

Bugs creep up all the time.  Microsoft responds to most critical bugs like that quickly (as noted in the blog post you cite).  I don't generally recommend going to the current DFL/FFL myself UNLESS there is a desire to use the technologies that they require.  You never know when you will want to replace a DC with an older (but still supported) version of Windows.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.