OK – please forgive the rather large gap between Part 2 and 3 of this series. There are many conflicting reasons for the time blow-out but the biggest one was that I didn’t want to write this last bit until I’d actually gone through and completed the project in a live environment and verified it to be 100% successful. Yes that’s right – the methodologies I’ve documented weren’t just extracted from a sterile lab environment, but from a live production environment with real users and servers. But before I could get to the point at which I could migrate the forest functional level, there were various sub-projects which cropped up – new domain controllers (all virtual – see Part 2), new Hyper-V hosts, network time considerations, WAN reconfiguration, DNS changes and so on.

The actual process of raising the functional level is pretty straightforward – a couple of clicks and you’re done. However, every domain controller has to be able to support the new level, so that means taking existing DCs based on earlier versions of Windows Server out of commission. They can still stick around as member servers, but you have to use DCPROMO to revoke their role as DCs. In my case, the last DC (which was Server 2008 Standard) happened to be the first DC of a new domain, so that meant it also took the FSMO roles for the domain (Flexible Single Master Operations) which are still part of Active Directory Domain Services. These do not get transferred automatically so this must be done manually.

There are five roles to be transferred – Schema Master, Domain Naming Master, PDC, RID Pool Manager and Infrastructure Master. To see which servers hold these roles in your environment, open a command window and type in:

netdom query fsmo /domain:yourdomain.com

In my case the same server held all five roles. I used the MMC snapins from a domain-joined workstation with the Remote Server Admin Tools (RSAT) installed to transfer the roles as follows:

Step 1 – Transfer PDC, RID Pool Manager and Infrastructure Master roles

  1. Open Active Directory Users and Computers
  2. Right-click “Active Directory Users and Computers” in the left-hand pane of the snapin and select “Connect to domain controller”, and choose the DC which you are transferring the roles TO
  3. Right-click “Active Directory Users and Computers” again, and select “All Tasks” and then “Operations Masters”
  4. For each of the three tabs – RID, PCD and Infrastructure – verify that the current Operations master is the DC you wish to transfer the role FROM, and that the other field is populated with the DC you wish to transfer the role TO, and click Change
  5. Click Close


Step 2 – Transfer Domain Naming Master role

  1. Open Active Directory Domains and Trusts
  2. Right-click Active Directory Domains and Trusts and select “Change Active Directory Domain Controller” and choose the DC which you are transferring the role TO
  3. Right-click Active Directory Domains and Trusts again and select “Operations Master”
  4. Verify that the current master server and the new master server fields are populated correctly, and click Change
  5. Click Close

Step 3 – Transfer Schema Master role

  1. First, register the snapin – go Start, Run, and type in “regsvr32 schmmgmt.dll” (without quotes) and hit Enter
  2. Go Start, Run, mmc.exe
  3. In the console screen go to the File menu and select “Add/Remove Snap-in”
  4. Select “Active Directory Schema” from the list of available snapins and click Add, then press OK
  5. Right-click “Active Directory Schema” and select “Change Active Directory Domain Controller”. Select the DC which you will transfer the role TO
  6. Right-click “Active Directory Schema” again and select “Operations Master”
  7. Verify that the current master server and the new master server fields are populated correctly, and click Change
  8. Click Close


The remaining considerations to assess what roles are currently in operation on the old DC. In my case it was also running as a DNS and DHCP server, so those roles needed to be replicated on new infrastructure and migrated, as my plans were to take the old DC offline completely. You also need to look at any specific or unique authentication scenarios – for example, I had a NAS which supported AD authentication but which had to point at the AD server hosting the PDC role, as it used a legacy form of authentication.

Go to the old DC and go Start, Run, DCPROMO to launch the ADDS Installation Wizard.

  1. Click Next
  2. Click OK to confirm that you have another Global Catalog server available on the network
  3. Do NOT click the checkbox on the next page, as this will delete the domain
  4. If DNS is running on the DC, tick the box to remove the DNS delegations which point to the server and enter administrative credentials to confirm this
  5. Type in a new Administrator account password

The server will configure and remove ADDS and replicate any existing data to the other DC. Reboot the system once the process is complete. Once the old system has restarted, log back in using the new local admin account (if the server was a DNS server then it will still be using its loopback address for DNS resolution so you won’t be able to log onto AD just yet) and then uninstall any services which are no longer needed.

Run checks in AD Users and Computers, Sites and Services and DNS to ensure that the DC has been removed successfully. At this stage, wait a few hours to allow domain replication to take place.

Active-Direcrory-Raise-Funtional-Level To migrate the functional level, launch Active Directory Users and Computers. Right-click the domain and select “Raise domain functional level”. In the field “Select an available domain functional level” choose “Windows Server 2008 R2” and click “Raise”. The domain level is now raised and the change replicates to each DC.

Active-Directory-Raise-Forest To raise the forest level, launch Active Directory Domains and Trusts and right-click “ Active Directory Domains and Trusts” (don’t click the domain). Click “Raise Forest Functional Level”, make sure that “Windows Server 2008 R2” is selected and click “Raise”. Again, the change replicates throughout the forest to all the other DCs.

Articles in seriesActive Directory Functional Level Server 2008 R2
1 Comment
  1. Chris A. 12 years ago

    Thanks for the detailed process. I had already gone through the entire process and just demoted my last 2003 server and was doing more research on the domain and forest raising when I saw your blog.

    Are there any other pitfalls or problems to look into or testing of other applications recommended besides just older domain controllers?

Leave a reply

Please enclose code in pre tags

Your email address will not be published.


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account