Considerations before you elevate Forest & Domain functional Level

In the last months I come across different customers that already had upgraded the domain controllers, however they left the domain & forest functional level in the Windows server 2003, the concerns were, what was going to happen if them changed the domain and forest functional level and if something was going to stop to work.

Steps for raise the functional level is a pretty straight forward operation and very well documented, that I will not cover at this article.

Below have some considerations to think about, before you raise your Forest & Domain Level and links to help you. I high recommend you read the excellent article that was wrote in 2011 by NedPyle [MSFT]: What is the Impact of Upgrading the Domain or Forest Functional Level?    The most of your questions will be answered by this article.

Below are some questions and answers that I came through by customers:

What impact will this have to my applications?

  • I like to start creating an excel spreadsheet and add all the business application that connect with the LDAP and check with the vendors if the application is compatible with the domain level that I want raise, like the table below:
 
Application Cheeked with the vendor Support contract
APP1 supports the domain & forest functional levels 2008R2, 2012, 2012R2 Yes
APP2

 

Is there anything to need to worry about?

  • Make sure that you ran a health check audit and your domain is in good shape
  • The new domain controllers must have the same or latest OS, that the functional level of the forest or domain.

When the domain functional level is raised, it not possible to promote operating systems that are running earlier versions of the OS. For example, if you raise the domain functional level to Windows Server 2012, you will not be able to promote a server that is running Windows Server 2008 to Domain Controller.

  • If your domain & forest level functional level are Windows 2003 you have no roll back. Be sure that you have your forest recovery plan (do you have it, right… right…) and a latest backup of the DC system state
  • Notes from the Microsoft support site team:

The answer to the question about the impact of changing the Domain or Forest Functional Level is there should be no impact. If you still have concerns about any third party applications, then you should contact the vendor to find out if they tested the product at the proposed Level, and if so, with what result. The general expectation, however, should be that nothing will change. Besides, you do test your applications against proposed changes to your production AD. Discuss any issues with the vendor before engaging Microsoft Support.

 https://blogs.technet.microsoft.com/askds/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level/

Doing the work? What’s the recommended time to carry out this? Weekend/weekday? After work hours?

When my domain & forest level are Windows 2003, I  like to divide the raising in two phases and start on Friday after work hours, to be sure that we will have enough time to troubleshooting and in the last case apply the forest recovery or rollback when possible.

  • First weekend Windows Server 2003 to Windows Server 2008R2, hold for a week test everything.
  • Following weekend Windows Server 2008R2 to Windows Server 2012R2
  • You will need to test all the apps after the domain level up

Know Issues when raised to 2008 R2:

What is the roll back?

The lowest level that can be rolled back to is Windows Server 2008. and it is only possible to do it in using PowerShell and it only possible to rollback if you have not enabled any of the features that are required by the current level.  The link below explains the process that can be done by PowerShell another link from Microsoft

The roll back is valid for 2008R2 domain and forest level up, to roll back to 2008 domain and forest level. If your domain are running at 2003 domain and forest functional level have no roll back,  to windows 2003 domain and forest functional level.

Summary:

  •  2003 to 2008R2 – no rollback to 2003 domain level & forest level

Cannot roll back or lower a functional level under any circumstances. If you have to revert to 2003 functional level will be necessary to rebuild the domain or forest or restore it from a backup copy. (https://technet.microsoft.com/en-ie/library/understanding-active-directory-functional-levels%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396)

  • 2008 to 2008R2 – rollback possible since that you do not enable the new features that will be available
  • 2008R2 to 2012 – rollback possible since that you do not enable the new features that will be available
  • 2012 to 2012R2 – rollback possible since that you do not enable the new features that will be available
  • After you set the domain functional level to a certain value in Windows Server 2008 R2, you cannot roll back or lower the domain functional level, with one exception: when you raise the domain functional level to Windows Server 2008 R2 and if the forest functional level is Windows Server 2008 or lower, you have the option of rolling the domain functional level back to Windows Server 2008. You can lower the domain functional level only from Windows Server 2008 R2 to Windows Server 2008. If the domain functional level is set to Windows Server 2008 R2, it cannot be rolled back, for example, to Windows Server 2003.
  • After you set the forest functional level to a certain value in Windows Server 2008 R2, you cannot roll back or lower the forest functional level, with one exception: when you raise the forest functional level to Windows Server 2008 R2 and if the Active Directory Recycle Bin is not enabled, you have the option of rolling the forest functional level back to Windows Server 2008. For more information about the Active Directory Recycle Bin, see What’s New in AD DS: Active Directory Recycle Bin (http://go.microsoft.com/fwlink/?LinkId=141392). You can lower the forest functional level only from Windows Server 2008 R2 to Windows Server 2008. If the forest functional level is set to Windows Server 2008 R2, it cannot be rolled back to Windows Server 2003, for example.

Understanding Active Directory Domain Services (AD DS) Functional Levels Link

Current domain functional level Current forest functional level Rollback options
Windows Server 2012 R2 Windows Server 2012 R2 None unless you first lower forest functional level
Windows Server 2012 R2 Windows Server 2012 Windows Server 2012
Windows Server 2012 R2 Windows Server 2008 R2 Windows Server 2012 or Windows Server 2008 R2
Windows Server 2012 R2 Windows Server 2008 Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008
Windows Server 2012 Windows Server 2012 None unless you first lower forest functional level
Windows Server 2012 Windows Server 2008 R2 Windows Server 2008 R2
Windows Server 2012 Windows Server 2008 Windows Server 2008 R2 or Windows Server 2008
Windows Server 2008 R2 Windows Server 2008 R2 None unless you first lower forest functional level
Windows Server 2008 R2 Windows Server 2008 Windows Server 2008
Windows Server 2008 or lower Windows Server 2008 or lower None

Understanding Active Directory Domain Services (AD DS) Functional Levels Link

Active Directory features by the Domain or Forest Functional Level:

Below are some of the Features the full list can be found at the following link.

Domain Level Windows Server 2008:

  • Features and benefits include all default Active Directory features, all features from the Windows Server 2003 domain functional level, plus:
  • Read-Only Domain Controllers – Allows implementation of domain controllers that only host read-only copy of NTDS database.
  • Advanced Encryption Services – (AES 128 and 256) support for the Kerberos protocol.
  • Distributed File System Replication (DFSR) – Allows SYSVOL to replicate using DFSR instead of older File Replication Service (FRS). It provides more robust and detailed replication of SYSVOL contents.

Domain Level Windows Server 2008 R2

  •  All default Active Directory features, all features from the Windows Server 2008 domain functional level, plus 2 new features.

 Domain Level Windows Server 2012:

  • The KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests)

 Domain Level Windows Server 2012 R2:

  • DC-side protections for Protected Users. Protected Users authenticating to a Windows Server 2012 R2 domain can no longer:
    • Authenticate with NTLM authentication
    • Use DES or RC4 cipher suites in Kerberos pre-authentication
    • Be delegated with unconstrained or constrained delegation
    • Renew user tickets (TGTs) beyond the initial 4-hour lifetime

Forest Level Windows Server 2008

  • Features and benefits include all of the features that are available at the Windows Server 2003 forest functional level, but no additional features. All domains that are subsequently added to the forest will operate at the Windows Server 2008 domain functional level by default.

Forest Level Windows Server 2008 R2

 All of the features that are available at the Windows Server 2003 forest functional level, plus the following features:

  • Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running.
  • All domains that are subsequently added to the forest will operate at the Windows Server 2008 R2 domain functional level by default.

Forest Level Windows Server 2012:

  • All of the features that are available at the Windows Server 2008 R2 forest functional level, but no additional features.
  • All domains that are subsequently added to the forest will operate at the Windows Server 2012 domain functional level by default.

Forest Level Windows Server 2012 R2:

  • All of the features that are available at the Windows Server 2012 forest functional level, but no additional features.
  • All domains that are subsequently added to the forest will operate at the Windows Server 2012 R2 domain functional level by default.

Leave a Reply

Your email address will not be published. Required fields are marked *