Blog Post

Core Infrastructure and Security Blog
3 MIN READ

A few things you should know about raising the DFL (and/or) FFL to Windows Server 2008 R2

BrandonWilson's avatar
BrandonWilson
Icon for Microsoft rankMicrosoft
Sep 19, 2018

First published on TechNet on Apr 09, 2012

 

Hello Greg Jaworski here again to briefly talk about two issues when raising the domain functional level (and/or) the forest functional level to Windows Server 2008 R2. While we have loads of documentation on this and numerous blogs there are a few issues that customers have hit that are a little harder to find.

 

The first one was first documented (to my knowledge) by Brian Puhl who is a Microsoft employee, but this was not blogged on one of our sites. The link to that blog is below (it is external so the usual warnings apply). I have provided some details below.

http://imav8n.wordpress.com/2007/12/19/replication-version-number-for-your-krbtgt-account-password/

 

So when you raise the domain functional level to Windows Server 2008 or Windows Server 2008 R2 from Windows Server 2003 or gasp Windows 2000 the krbtgt password will be changed. Some TechNet articles have stated that the krbtgt password is periodically changed but that is not true. There is obvious concern that this password does not change, but this password is very complex and this account is also disabled by default. So back to the topic at hand this password change should not cause issues since we remember the previous password. I have not seen any issues with Windows systems, but I have seen issues with Unix/Linux systems that use 3rd party AD integration software. In that case simply recycling the daemon fixed the issue since this caused the application to retrieve new Kerberos tickets. This is one of those “it should not break anything” but it should be documented as part of raising the DFL to Windows Server 2008 so that you can be prepared if the unexpected does happen.

 

The second one is related to the .NET framework prior to version 4.0. Versions of .NET prior to .NET 4.0 do not support the DomainMode enumeration function against a Windows Server 2008 R2 domain or forest. Now not being a developer I have no idea what that function does (well I could guess J), but if you have .NET applications that use Active Directory you will want to test and make sure these work, and apply this hotfix if needed. (You did test….right…right)

 

2260240                FIX: "The requested mode is invalid" error message when you run a managed application that uses the .NET Framework 3.5 SP1 or an earlier version to access a Windows Server 2008 R2 domain or forest

http://support.microsoft.com/default.aspx?scid=kb;en-US;2260240

 

Resources

 

What is the Impact of Upgrading the Domain or Forest Functional Level?

http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx

 

Understanding Active Directory Domain Services (AD DS) Functional Levels

http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(WS.10).aspx

 

How to raise Active Directory domain and forest functional levels

http://support.microsoft.com/default.aspx?scid=kb;EN-US;322692

 

FIX: "The requested mode is invalid" error message when you run a managed application that uses the .NET Framework 3.5 SP1 or an earlier version to access a Windows Server 2008 R2 domain or forest

http://support.microsoft.com/kb/2260240

 

Replication Version Number for your KrbTGT account password?

http://imav8n.wordpress.com/2007/12/19/replication-version-number-for-your-krbtgt-account-password/

 

W2K3 to W2K8 and W2K8R2 Active Directory Upgrade Considerations

http://blogs.technet.com/b/glennl/archive/2009/08/21/w2k3-to-w2k8-active-directory-upgrade-considerations.aspx

Upgrade Domain Controllers: Microsoft Support Quick Start for Adding Windows Server 2008 or Windows Server 2008 R2 Domain Controllers to Existing Domains

http://technet.microsoft.com/en-us/library/ee522994(WS.10).aspx

 

Greg Jaworski

 

Updated Feb 07, 2020
Version 4.0
  • Joaquin1998's avatar
    Joaquin1998
    Copper Contributor

    I need to raise the functional level from 2008 R2 to 2016, all the DCs are now 2016, after just demoting the last 2008 R2 DC.

    Could I "undo" the raising of the functional level back to 2008 R2 from 2016, if I see applications not working well? Could I undo from 2016 to 2008 R2 directly or do I have to undo from 2016 to 2012 R2, then to 2012, then to 2008 R2? Thanks.