Windows 10: What are the Impacts of Upgrading the Domain and Forest Functional Level in a Production AD...

Dear All,I'd like to clarify the following concerns with you. We have a customer who has the following infrastructure and they want to raise the forest and domain functional levels in the Active Directory environment. Hence, we are seeking your expertise to clarify the same.Existing InfraAD Servers - 2 Servers are in the local data center and 1 Server is on Azure IaaS - Forest Functional Level is Server 2008 R2 and the Domain Functional Level is Server 2012 R2Azure AD Connect - 1 ServerFile Servers - 2 Servers local data centerNPS Server - 1 Server local data centerCA Server -1 Server l

:)

 

Raising the windows domain and forest issues?


hi,

I run a domain that was all 2003 r2 servers. I recently upgraded all my domain controllers to windows 2012 r2.
That went off without any problems.. Our trust relationships had no issues also.

My first step was to raise the Domain and Forest levels past 2003 to 2008. This went off without a hitch.
These are the features for raising the levels to 2008:

• Features and benefits include all default Active Directory features, all features from the Windows Server 2003 domain functional level, plus:
• Read-Only Domain Controllers – Allows implementation of domain controllers that only host read-only copy of NTDS database.
• Advanced Encryption Services – (AES 128 and 256) support for the Kerberos protocol.
• Distributed File System Replication (DFSR) – Allows SYSVOL to replicate using DFSR instead of older File Replication Service (FRS). It provides more robust and detailed replication of SYSVOL contents.

Forest Level Windows Server 2008

• Features and benefits include all of the features that are available at the Windows Server 2003 forest functional level, but no additional features. All domains that are subsequently added to the forest will operate at the Windows Server 2008 domain functional level by default.

My next step is to raise the domain and forest to 2008 r2, then 2012, and finally 2012 r2. I have been trying to find out exactly what I could expect from raising the Domain and Forest for each step.

The step involving 2008 r2 seems relatively a non issue. But getting the couple of new features seem very nice

Domain Level Windows Server 2008 R2

• All default Active Directory features, all features from the Windows Server 2008 domain functional level, plus 2 new features

Forest Level Windows Server 2008 R2

• All of the features that are available at the Windows Server 2003 forest functional level, plus the following features:

• Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running. <== New Feature very cool
• All domains subsequently added to the forest will operate at the Windows Server 2008 R2 domain functional level by default.

Here is my big concerns for the next raising of domain and forest to 2012.

Forest Level Windows Server 2012:

• All of the features that are available at the Windows Server 2008 R2 forest functional level, but no additional features.
• All domains subsequently added to the forest will operate at the Windows Server 2012 domain functional level by default.

Domain Level Windows Server 2012 R2: <=====Need to investigate more and why this post

• DC-side protections for Protected Users. Protected Users authenticating to a Windows Server 2012 R2 domain can no longer:

• Authenticate with NTLM authentication <==============(what issues may arise)
• Use DES or RC4 cipher suites in Kerberos pre-authentication
• Be delegated with unconstrained or constrained delegation
• Renew user tickets (TGTs) beyond the initial 4-hour lifetime

Will this affect my exchange anywhere users with remote access authenticating either clear of NTLM???
and what would/may not to work properly day 1 when I raise the domain and forest to 2012. I cant really find anyone that can answer a straight question.

Has anyone gone through this? what problems did you have, if any , if a lot???

Any thoughts and suggestions will be much appreciated??

thanks


- - - Updated - - -

One more point... I am not sure if I posted this to the correct forum.. So if I was wrong and it should be in a different one..
PLEASE LET ME KNOW

 

Performing a Forest Restore in Case of Forest Function Level Upgrade Failure

Hello All,

We have a small business client that is currently looking to finally upgrade their infrastructure. Part of this process will include upgrading their existing functional forest level from server 2000 NT to server
2003, in order to create a trust with a newer domain that we are building for them. The newer domain will have servers that are only server 2008 and newer (eventually only server 2012 or newer) and will be disconnected from the old domain once all migration
occurs. We have a plan in place to complete this properly, but there is one piece of the puzzle that I have yet to truly figure out.

The process to raise a Forest/Domain functional level is beyond easy, but I have not yet hammered down the process of performing a Forest/Domain Restore. I realize that a restore is literally the only way to
recover from a forest functional level upgrade failure. I realize these failures are beyond rare, but I would rather be safe than sorry. Could anyone point me to a straightforward guide on how to perform a Forest/Domain Restore on a pair of server 2003 domain
controllers?

As an important secondary question, one of my superiors is having a hard time believing the fact that simply taking a full backup of both domain controllers and restoring using those backups alone would not
restore the domain to working condition. Could anyone explain why you have to complete all of these forest restore steps instead of being able to just restore from a full backup on both DC's?

 

Windows 11 22H2 Domain Joined and the minimum Domain Controllers domain and forest functional level supported by this operating system

Hello MS Community ,

I am writing to seek clarification and guidance regarding the domain joining requirements and the minimum domain controllers domain and forest functional level supported by Windows 11 22H2.
currently we planning an upgrade to Windows 11 22H2 for our client machines.
Windows Server Domain Controllers environment with a domain and forest functional level of Windows Server 2008 is supported for this scenario ? .

To facilitate a smooth transition and avoid any potential compatibility issues, we kindly request your assistance in addressing the following:

What is the minimum domain functional level required for Windows 11 22H2 domain joining?

What is the minimum forest functional level required for Windows 11 22H2 domain joining?

Are there any specific considerations or limitations regarding the forest & domain functional level ?