IADDSWSE - Implementing AD Domain Services on a Windows Server Environment

5.2 Raise the forest Functional Level to Windows Server 2003 – domain Windows Server 2008 R2

[00:03] In the previous episode, we explored the need of raising domain functional level to Windows Server 2003, now with the forest and that FL is Windows Server 2003.

5 2 Raise the forest Functional Level to Windows Server 2003 domain Windows Server 2008 R2 | IADDSWSE - Implementing AD Domain Services on a Windows Server Environment

[00:06] The domain FL defines the minimum version of Windows Server edition that DCs can run on.

And the forest FL defines the lowest version of FL that domains in the forest must have.

Of course, the domain/forest FL has its own specialized features to suit its scope/design: https://activedirectoryfaq.com/2015/03/domain-and-forest-functional-levels-overview/

[00:13] The feature needs forest functional level Windows Server 2003 I will mention is Read-Only Domain Controller – RODC, for example.

5 2 Raise the forest Functional Level to Windows Server 2003 domain Windows Server 2008 R2 | IADDSWSE - Implementing AD Domain Services on a Windows Server Environment

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771030(v=ws.10)

Simply, RODC is a Domain Controller but "read-only".

The main reason for using an RODC is mainly for security purposes, while also providing domain resiliency at remote offices.

If a remote office which contains this DC has poor physical security, or it is only serving a small number of very non-IT minded staffs, there are no good reasons to have a fully writable domain controller at that site.

[00:22] You should take a moment to consider what is being held on a Domain Controller is nothing but all of your Company user accounts, including administrative accounts; if they are compromised, it would be a massive security risk/data breach to your network.

5 2 Raise the forest Functional Level to Windows Server 2003 domain Windows Server 2008 R2 | IADDSWSE - Implementing AD Domain Services on a Windows Server Environment

More info about RODC: http://windocuments.net/Rodc.html

[00:29] To deploy RODC, firstly, we create a Read-only Domain Controller account for that server but it fails, because our current forest FL is Windows 2000, we need to raise it to 2003 or higher.

5 2 Raise the forest Functional Level to Windows Server 2003 domain Windows Server 2008 R2 | IADDSWSE - Implementing AD Domain Services on a Windows Server Environment

In fact, you must take an attention when raising the forest FL, because when it was raised, all new domains whose FLs are lower than the forest FL cannot be joined.

It is an irreversible action, actually.

[01:30] Okay, now we can start to create an RODC account or use more features when the forest functional level was raised to Windows Server 2003.

5 2 Raise the forest Functional Level to Windows Server 2003 domain Windows Server 2008 R2 | IADDSWSE - Implementing AD Domain Services on a Windows Server Environment

[01:49] We know domain or forest functional levels have their own roles/applications in the AD DS infrastructure.

The raising process remains the same with Windows Server 2008, make sure your DCs have OS editions are the same at least.

https://www.adaxes.com/help/Concepts.ManagedDomains.DomainFunctionality.html

[01:55] Now with the Windows Server 2008 domain functional level.

5 2 Raise the forest Functional Level to Windows Server 2003 domain Windows Server 2008 R2 | IADDSWSE - Implementing AD Domain Services on a Windows Server Environment

[02:13] One of the biggest changes in Windows 2008 is the use of DFSR with more advanced options to replicate the SYSVOL contents instead of applying FRS as lower versions do.

5 2 Raise the forest Functional Level to Windows Server 2003 domain Windows Server 2008 R2 | IADDSWSE - Implementing AD Domain Services on a Windows Server Environment

When the entire forest was upgraded into Windows Server 2008, for example, we need to migrate from FRS to DFSR as mentioned.

However, although the current OS of DC is Windows Server 2008 R2, however forest functional level is still 2003.

Thus, we can't start the migration.

[02:50] After the functional level was upgraded, we can use this command, but we just need a small demonstration, thus stop here.

5 2 Raise the forest Functional Level to Windows Server 2003 domain Windows Server 2008 R2 | IADDSWSE - Implementing AD Domain Services on a Windows Server Environment

To learn more about this migration:

http://www.adshotgyan.com/2010/12/sysvol-migration-from-frs-to-dfsr.html

[03:02] More info about Windows Server functional levels and their associated features here:


https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754918(v=ws.10)

5 2 Raise the forest Functional Level to Windows Server 2003 domain Windows Server 2008 R2 | IADDSWSE - Implementing AD Domain Services on a Windows Server Environment

[03:07] Also, you can work in an advanced way by using PowerShell:


https://www.petri.com/raise-active-directory-domain-and-forest-functional-levels-using-powershell

[03:12] This is a good checklist/preparation plan before raising the domain forest functional level:


https://www.experts-exchange.com/questions/28628486/check-list-and-preparation-plan-before-raising-domain-forest-functional-level-from-2003-to-2008.html

[SHAZAM]


http://shazam.marvel-it.icu/s=d9b3a4a9&f=CHuNpumK

[YOUTUBE]

5.2 Raise the forest Functional Level to Windows Server 2003 – domain Windows Server 2008 R2

Tags

Related Articles

Back to top button