This assumes you’ve already done the research, and you are fairly certain your environment is ready for the functional level upgrade. You are aware of all applications and services you have in your environment and are certain the upgrade will not break their authentication. If you have services in question, they should be tested.
Raising the domain and forest functional levels to Windows Server 2003 is a nonreversible task and prohibits the addition of Windows NT 4.0–based or Windows 2000–based domain controllers to the environment. Any existing Windows NT 4.0 or Windows 2000–based domain controllers in the environment will no longer function. Before raising functional levels to take advantage of advanced Windows Server 2003 features, ensure that you will never need to install domain controllers running Windows NT 4.0 or Windows 2000 in your environment.
Note The new DFL(Domain Functional Level) and FFL(Forest Functional Level) only affects the way that the domain controllers operate together as a group.
With versions of Windows Server that are earlier than Windows Server 2008 R2, you cannot roll back or lower a functional level under any circumstances. If you have to revert to a lower functional level with a version of Windows Server that is earlier than Windows Server 2008 R2, you must rebuild the domain or forest or restore it from a backup copy.
Steps to take to raise the functional levels.
If the environment is still in Windows 2000 mode (you cannot go directly to Windows 2008 or Windows 2012) you must get to a Windows 2003 functional level first.
- Build a new domain controller or use an existing DC to take offline. Make sure you give plenty of time for replication to complete if new. I like to wait at least a couple of hours, although it shouldn’t take that long. This will be used for roll back to the existing state if its required. Force replication with “repadmin /syncall”
- It doesn’t hurt to also make a verified backup
- Upgrade the forest and domain level to Windows 2003 native
- It is suggested to leave this for a week or so to verify there are no dependencies.
Once at Window’s 2003 Mode (or if you already are at Windows 2003 Native mode or above)
- Take an inventory of all Services running on all Existing DC’s (DNS, DHCP, WINS, etc)
- Verify and document DNS configuration
- Verify and document DHCP configuration
- Confirm any other services that need to be moved off of the DC’s
- Verify time sources.
- Install a Windows 2012 R2 (its recommended at least 2 DC’s, but plan for your DC count)
- Promote these to a Domain controller
- Move all services as required. (keep in mind moving of DNS and DHCP takes some planning and coordination)
- Move all FSMO roles to the new DC’s
- Configure time source on the new PDC emulator.
- Once again make a New DC that can be taken offline. Make sure you give plenty of time for replication to complete. I like to wait at least 12 hours, although it shouldn’t take that long.
- Shut down the DC that will be used in case of rollback.
- It doesn’t hurt to also make a verified backup as well
- If you started in Windows 2000 mode, the DC’s we turned off above must be removed from the domain. In most cases you can right click and delete them in ADU&C. When ask for verification you’ll select yes, but be sure you do not check the “This is the last dc” check box.
- I have seen cases where I’ve needed to remove orphaned DC’s using ntdsutil. Here is the article on ntdsutil if needed, https://support.microsoft.com/en-us/kb/216498
- The new domain controller (the one created on the second cluster) can now be shut down so we have a roll back point to the “now” state.
- We can then raise the domain and forest functional level.
- Once that is done, we can wait at least a couple of days, if all is well, turn on the third DC again (the one created for backup (rollback DC). Let it replicate and remain as an DC or demote it back to a member server as you wish
Note: Make sure you always have virtualized domain controllers on separate host and separate cluster in case of a virtualization failure.
Note: it’s not uncommon to find a DC in there nobody remembers that we need to get rid of. (see the ntdsutil link above)
In the rare instance you’ll need to roll back, all existing DC’s will need to be turned off, and the rollback DC turned on. Additional DC’s can be rebuilt if required. This can be quit an undertaking in large environments so it should be thought and planned out ahead of time. (I’ve only had to do this once, back in the Windows 2000 days)
You’ll then need to clean up the domain (remove all DC’s now shut off, and its best to delete them if virtual, or wipe them if hardware) and ensure they do not get turned back on as DC’s.
Next fix the issue that required the rollback and start over.
As you can see, its best to do a POC in a lab environment if at all possible.
One of the most common questions I’ve had is “Can’t I just use a backup instead of taking DC’s offline”?
The Answer is “yes”. But keep in mind, (especially in smaller and mid-size environments) roll back with a DC offline is as quick as turning off all existing DC’s and turning one back on. At that point, you’re back to the forest domain state. In mid and large size environments you may need to add addition DC’s. See https://technet.microsoft.com/en-us/library/cc757662(v=ws.10).aspx
Common Mistakes: Raising DFL 2000 to 2003
I hope it helps