Functional domain and forest levels

Hello @abdelhak mallem ,

Thank you for posting here.

Here are the answers for your references.

• What steps do I have to take before embarking on this project?

A1:Before we do any changes in our domain, we had better check:

1. Check if AD environment is healthy. Check whether all DCs in this domain is working fine by running Dcdiag /v on each DC.
2. Check if AD replication works properly by running repadmin /showrepl and repadmin /showrepl * /csv >c:\repsum.csv on each PDC in forest root domain.
3. Check both SYSVOL folder and Netlogon folder are shared by running net share on each DC.
4. Check if we can update gpupdate /force on each DC successfully.
5. Check if SYSVOL replication works fine. We can try to create a new file or folder under C:\Windows\SYSVOL\sysvol\domain.com\Policies on any one DC and then check whether this new file or folder can be replicated to other DCs under the same path 10-30 minutes later.
6. Had better back up all DCs.
7. We had better perform all the operations during downtime or non-working day.

If there is no any error after check all above, your AD domain environment should be working fine. we can go to question 2.

• What should I see first or ask the customer for information

A2:If you want to add 2016 domain controller to the existing domain,the forest functional level needs to be 2003 or higher.

Based on "the current functional level of the domain’s drill and in 2008R2, he wants to increase his functional level of his drill and his domain in 2016.", we should

1. Ensure that all domain functional levels are equal to or higher than the forest functional level;
2. Ensure that the operating system level of all domain controllers is equal to or higher than the domain functional level;
3. Make sure all DCs are upgrade (I mean add new WIndows server 2016 to domain and promote as DC, not perform in-place upgrade operating system of the existing DC from lower operating system version to Windows server 2016 DC )to 2016 DC.
4. Transfer FSMO from old DC to new 2016 DC.
5. Demote all the lower operating system version of DCs and only keep 2016 DCs.
6. Raise functional level to 2016.
7. The domain function level can only be upgraded on the PDC;
8. The forest functional level can only be upgraded on the schema master.

- Could the version upgrade have an impact on (the CA, Exchange, Sysvol and replication certification authority assigns the Sites, knowing that it performs smart card authentication).
A3: If you want to add 2016 domain controller to the existing domain, domain functional level needs to be 2008 or higher and SYSVOL replication must be DFSR (if older sysvol FRS replication is FRS, it needs to be migrated to DFSR).

1. Your CA server and Exchange server should be member server, not DC is that right?
2. If so, there should be not impact on CA server if we install AD CS on one member server. Because functional levels do not affect which operating systems you can run on workstations and member servers that are joined to the domain or forest.
3. As a kind of reminder, perhaps the applications on workstations or member servers may be impacted by forest functional level and/or the operating system version of domain controllers. So before upgrade DC to higher operating system or raising forest functional level, we can check if there is any impact on any application in your AD environment.
4. For Exchange server, whether specific Exchange version can be supported, it depends on server operating system version installed with Exchange, Exchange version and Active Directory environments (including DC operating system version and AD forest functional level).
   For more information, we can refer to the link below.
   Exchange Server supportability matrix
   https://learn.microsoft.com/en-us/Exchange/plan-and-deploy/supportability-matrix?view=exchserver-2019

- If not, what are these impacts if any
A4:For DNS server on old DCs:

1. If the removed DC was a DNS server, before removing DNS role on old DC, update the DNS client configuration on all member workstations, member servers, and other DCs that might have used this DNS server for name resolution.
2. If it is required, modify the DHCP scope to reflect the removal of the DNS server and the adding of the DNS server.
3. If the removed DC was a DNS server, update the Forwarder settings and the Delegation settings on any other DNS servers that might have pointed to the removed DC for name resolution.

- Can consider roll back
A5:Had better fix all the error in your domain and back up all good DCs before we do all the changes.

Tip:

1. Usually, we want a DC to be just a DC, there is nothing else, because this reduces possible resource conflicts and exploit vulnerabilities and minimizes patching of other applications that might cause downtime.
   Ideally, a DC should be easy to replace, just by standing up another DC.When we put other software and roles on one DC, maybe the DC is harder to replace it.
2. As a kind of reminder, perhaps the applications on workstations or member servers may be impacted by forest functional level and/or the operating system version of domain controllers. So before upgrade DC to higher operating system or raising forest functional level, we can check if there is any impact on any application in your AD environment.
3. For add a 2016 domain controller, the steps below are for your reference:

1. Add the new Window server 2019 to the existing domain.
2. Add AD DS and DNS roles and promote this Windows server 2019 as a DC (as a GC).
3. Check if AD environment is healthy again.

Hope the information above is helpful. If anything is unclear, please feel free to let us know.

Best Regards,
Daisy Zhou