As part of the infrastructure clean up and upgrade plans, we have decided to raise the DFL and FFL of our domain to take advantage of new Windows Server features.
The first step in the process is making sure all new DCs in the domain are running the same version of Windows Server. To meet this requirement, I have added two Windows Server 2008R2 servers running Active Directory Domain Services as domain controllers.For the next step, I decommissioned all existing Windows Server 2003R2 domain controllers by using dcpromo.exe to demote and uninstall Active Directory.
After uninstalling AD from the WS2003R2 servers and restarting both machines. I went through the clean up process to manually remove any lingering objects in AD integrated DNS and AD Sites and Services referencing the demoted Windows 2003 R2 servers. I’ve written about this in previous post.
By raising the forest and domain functional levels, I intend to take advantage of two main features:
a) Active Directory Recycle Bin, provides us the ability to fully restore deleted objects and their attributes(user accounts, groups) in their entirety while ADDS is running, from the Deleted Objects Container.
b) AD Fine-grained Password Group Policies will now make it possible for us to specify password and account lockout policies for specific users and security groups in the domain instead of a blanket password policy for every department .
In the next step, I will verify the current forest and domain functionality level in the domain using the following PowerShell cmdlet:
PS C:\scripts> Get-ADRootDSE | fl domainFunctionality, forestFunctionality
domainFunctionality : Windows2003Domain
forestFunctionality : Windows2003Forest
Raise the Domain functional level :
PS C:\scripts> Set-ADDomainMode -Identity lab.net -DomainMode Windows2008R2Domain -Verbose
Raise the Forest functional level:
PS C:\scripts> Set-ADForestMode -Identity lab.net -ForestMode Windows2008R2Forest -Server WS2012R2.lab.net -Verbose
It should be noted that this operation is irreversible.