[00:03] In the previous episode, we explored the need of raising domain functional level to Windows Server 2003, now with the forest and that FL is Windows Server 2003.
[00:06] The domain FL defines the minimum version of Windows Server edition that DCs can run on.
And the forest FL defines the lowest version of FL that domains in the forest must have.
Of course, the domain/forest FL has its own specialized features to suit its scope/design: https://activedirectoryfaq.com/2015/03/domain-and-forest-functional-levels-overview/
[00:13] The feature needs forest functional level Windows Server 2003 I will mention is Read-Only Domain Controller – RODC, for example.
Simply, RODC is a Domain Controller but "read-only".
The main reason for using an RODC is mainly for security purposes, while also providing domain resiliency at remote offices.
If a remote office which contains this DC has poor physical security, or it is only serving a small number of very non-IT minded staffs, there are no good reasons to have a fully writable domain controller at that site.
[00:22] You should take a moment to consider what is being held on a Domain Controller is nothing but all of your Company user accounts, including administrative accounts; if they are compromised, it would be a massive security risk/data breach to your network.
More info about RODC: http://windocuments.net/Rodc.html
[00:29] To deploy RODC, firstly, we create a Read-only Domain Controller account for that server but it fails, because our current forest FL is Windows 2000, we need to raise it to 2003 or higher.
In fact, you must take an attention when raising the forest FL, because when it was raised, all new domains whose FLs are lower than the forest FL cannot be joined.
It is an irreversible action, actually.
[01:30] Okay, now we can start to create an RODC account or use more features when the forest functional level was raised to Windows Server 2003.
[01:49] We know domain or forest functional levels have their own roles/applications in the AD DS infrastructure.
The raising process remains the same with Windows Server 2008, make sure your DCs have OS editions are the same at least.
[01:55] Now with the Windows Server 2008 domain functional level.
[02:13] One of the biggest changes in Windows 2008 is the use of DFSR with more advanced options to replicate the SYSVOL contents instead of applying FRS as lower versions do.
When the entire forest was upgraded into Windows Server 2008, for example, we need to migrate from FRS to DFSR as mentioned.
However, although the current OS of DC is Windows Server 2008 R2, however forest functional level is still 2003.
Thus, we can't start the migration.
[02:50] After the functional level was upgraded, we can use this command, but we just need a small demonstration, thus stop here.
To learn more about this migration:
[03:02] More info about Windows Server functional levels and their associated features here: