Announcement

Collapse
No announcement yet.

Forest / Domain Functional Levels

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Forest / Domain Functional Levels

    I just started a consulting position at a small company and I have been making some suggestions to improve and update the environment. The environment is simple: Three DC's (and GC's) - two are Windows Server 2008, an one is Windows Server 2003. These three are online. Two additional DC's exist with Windows Server 2003 but are offline. One of these is an Exchange 2003 Server as well (a new W2K8,E2K7 server exists). My goal is to retire the two offline DC's and E2K3 server. I also noticed that the Domain Functional Level is Windows 2003 (which I believe I cannot change until all DC's are at W2K and the Forest Functional Level is at Windows 2000.

    Can I change the forect functional level?

    Thanks for your comments!
    -Mike

  • #2
    Re: Forest / Domain Functional Levels

    AS long as you have no Win2K DCs (not servers) in any domain, you should have no issue raising the FFL.

    How long have the 2 DCs been offline? They may be well past tombstone and require a metadata cleanup?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Forest / Domain Functional Levels

      Thanks for the super fast reply! We have only one or two Windows 2000 member servers, but none are DC's. So I assume we can raise the FFL to 2003 and keep the DFL (I like your acronyms) at 2003 as well, since we have two Windows 2008 and one Windows 2003 DC.

      As for the timeframe as being offline, the current administrator here was hesitant about demoting the old DC's, so simply shut them off. I understand what you are saying about needing to clean up metadata. I personally have never waited this long to demote DC's. I do see Event ID's 1925, and Event ID's 1864 on the other DC's that read as below. I believe they have been off for quite some time. Will powering them back on cause any issues with dcpromo and demoting them, or do you think it is best to use ntdsitil to remove the information from AD?

      Thanks again for your opinion.

      This directory server has not recently received replication information from a number of directory servers. The count of directory servers is shown, divided into the following intervals.

      More than 24 hours:
      2
      More than a week:
      2
      More than one month:
      2
      More than two months:
      2
      More than a tombstone lifetime:
      2
      Tombstone lifetime (days):
      60

      Directory servers that do not replicate in a timely manner may encounter errors. They may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.

      To identify the directory servers by name, use the dcdiag.exe tool.
      You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".

      Comment


      • #4
        Re: Forest / Domain Functional Levels

        Just clean up AD and make sure the old DCs suffer a fdisk before being connected to the domain again!
        Since they are past their tombstone they have no chance of being gracefully removed from the domain
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Forest / Domain Functional Levels

          Weird - I replied to your last post but do not see it. Here goes again....

          I have read various info on how to do this and some suggest using dcpromo /forceremoval. My question is what harm will it do to the AD if I power on DC's that have been sitting for 6 months, and if I do, will dcpromo even work? Does removing the metadata using ntdsutil do the exact same thing as dcpromo /demote? I am not sure why some people are running dcpromo /forceremoval and then using ntdsutil to clean the metadata. Can you explain?

          Comment


          • #6
            Re: Forest / Domain Functional Levels

            I think this article on the main site covers everything:
            http://www.petri.com/forcibly_removi...oy_from_dc.htm

            dcpromo /forceremoval cleans up the local machine but not AD -- that needs ntdsutil

            So IMHO a good format and reinstall beats forceremoval -- I assume there is nothing you want on the machine now?
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Forest / Domain Functional Levels

              Correct - nothing on the machine needs to be saved, nor do we want to reuse them for domain controllers. I guess for my own curiosity I was just wondering what kind of havok would be caused if I did actually turn them back on. For instance, would DCPROMO /DEMOTE actually work, or would replication not even function since the Tomstones are more than 60 days old. Another concern I have is the default connector between Exchange 2003 and 2007. I think if I could power on the old DC/E2K3 box and remove E2K3 and demote the DC (rather than using ntdsutil), it may be easier than manually cleaning up both the DC and E2K3 infor from AD. But if DCPROMO will fail, then it isnt worth even trying. I can't seem to find an article anywhere that states DCPROMO will fail if the DC has been off more than 60 days.

              Comment

              Working...
              X