Tag Archives: forest function level

Step by Step Guide to downgrade domain and forest functional level

Till Windows server 2008 R2, forest and domain functional level are not possible to downgrade once it’s upgraded. Well it’s not a problem if you properly plan you active directory upgrades. But sometime it’s save life with difficulties admins face with AD upgrades. With starting windows server 2008 R2 you can downgrade forest and function levels. The minimum level it can downgrade is windows server 2008.

In here on my demo I am using domain controller with forest and domain function level set to windows 2012 R2.

There is no GUI to perform this downgrade. We have to use PowerShell commands to do it.

First, log in to the domain controller as domain admin / Enterprise admin.

Then load PowerShell with Admin rights.


Then we need to import the AD module.

To do that type Import-Module -Name ActiveDirectory


Before proceed as confirmation here my domain and forest function levels are set to windows server 2012 R2.



First I am going to set forest function level to windows server 2008.
To do that,

Set-ADForestMode –Identity “CANITPRO.com” –ForestMode Windows2008Forest

In here my FQDN is CANITPRO.com you can replace it with your domain name.
After run the command ask for the confirmation, type Y or A to confirm the change.


Next step is to downgrade the domain function level to windows server 2008.
To do that,

Set-ADDomainMode –Identity “CANITPRO.com” –DomainMode Windows2008Domain


After successfully commands, next step is to confirm the new forest and domain function levels. This time I am using PowerShell.


If you have any questions feel free to contact me on rebeladm@live.com

Domain In-Place Upgrade Method


It is important to keep the domain environments running with its latest versions. It allow organizations to use new features, enhancements available on new directory services. Typically when we upgrade from old DC to new version, we add a new server or servers to the same network and then add it to the existing forest, domain. Then promote it as DC and move roles to the new system. Later on we demote the old DC and later we go with forest and domain functional level upgrades (once all legacy domain controllers are demoted). This is the seamless and preferred method. This we call as swing-server upgrade method.

But due to limitations on budget, resources not all organizations or companies can go with swing-server upgrade method. This issue can address using the in-place upgrade method. In this method we upgrade the operating system of the running domain controller.

Currently available in-place upgrade path is windows server 2008 or windows 2008 R2 to Windows server 2012 or windows server 2012 R2. In following table you can find the versions it can upgrade in to. Please be aware that you can’t use in-place upgrade to upgrade from windows 2003 or 32 bit versions of windows server 2008 to latest windows server 2012. If you need to upgrade from those versions you must use the swing-server method. Also windows server core 2008 R2 to windows server core 2012 not supported for in-place upgrade.

Current Version

Version that can upgrade into

Windows Server Standard 2008 with SP2, Windows Server Enterprise 2008 with SP2

Windows server 2012 Standard or Datacenter

Windows Server Datacenter 2008 with SP2         

Windows server 2012 Datacenter

Windows Web Server 2008

Windows server 2012 Standard

Windows Server Standard R2 2008 with SP1, Windows Server Enterprise R2 2008 with SP1

Windows server 2012 Standard or Datacenter

Windows Server Datacenter R2 2008 with SP1

Windows server 2012 Datacenter

Windows Web Server 2008 R2

Windows server 2012 Standard

Once upgrade is completed you need to manually change the forest and domain functional levels.

Before in-place upgrade it is important to consider on following points,

1)    Hardware Requirements – Before upgrade make sure the current hardware setup support for the new operating system. Verify the free disks space on the server. It is recommended to have at least 20% free space on the partition / disk which holds the active directory database.
2)    Application Compatibility – Sometime DC server also runs different applications (even its not recommended) for the company. So before upgrade you must make sure those are compatible with the new operating system and DC.
3)    Downtime – during the upgrade process the domain services will be down, so you need to prepare for the downtime.
4)    Permissions – you must have domain admin or enterprise admin rights to proceed with upgrade.

Known issues – please refer https://technet.microsoft.com/en-us/library/hh994618 to find out about the known issues for in-place upgrade method.

This is the end of the post and if you have any questions feel free to contact me on rebeladm@live.com

Image source: http://blogs.microsoft.com/wp-content/uploads/2012/08/8867.Microsoft_5F00_Logo_2D00_for_2D00_screen.jpg

How to configure Direct Access? – Part 01

If someone in your organization ask how he/she can connect to the internal network from remote location, the solution which will come to your mind (most of time) will be “VPN” (Virtual Private Network). Once you setup VPN server in your local network you can allows the users from any remote location to “dial-in” to the server and make particular device in part of network. This communication will happen via secure channel.

All most all of switch/router/firewall manufactures build their products with integrated VPN servers and also we can find ton of VPN server softwares in internet nowadays. Even this solutions works very well there are few common issues. As we know most of the time the people on travel are either company sales staff or management staff. Unfortunately most of them are not too technical. So you need to spend time on training them how to use VPN client in device. Also the troubleshooting is nightmare if they come up with any sort of error. Believe me most of the time they do not know to tell beyond just “VPN is not working”. No offense but this is what mostly happen. Another issue VPN have is connectivity. We cannot expect “solid” internet connections when you travels. It can be hotel wifi, coffeshop wifi, client’s public wifi etc. which used to dial in to the VPN. If the connection is dropping VPN will kick you off from VPN. So you have to dial it in again. But some time you even not know if you already kick off from VPN. So may be most of you time on travel you spend on clicking on “connect” button on your vpn client.

What is direct access?

Along with windows 7 and windows 2008 R2 Microsoft introduce new feature called “DirectAccess”. It is Microsoft product and it act as “always-on” connection from remote location to local network. So remote clients will be automatically connect to the local network and with each and every connection drop it will establish the connection without user interact. This feature is works based on IPsec and IPv6. So if your network is not yet move in to IPv6 you need to use transition mechanism such as Trendo, 6to4 etc to use it along with IPv4.

Once DirectAccess configured when you switch on a device first it will check if it’s connected to the corporation network with local area network. If it’s not it will automatically make connection with direct access server. As I mentioned before this connection will be made based on IPsec and IPv6. If system is not using IPv6 yet it will use transition mechanism which setup by the corporation. Then if Network Policy Server (NPS) setup with policies, the device health will be checked against them before grant access to the network. If its meets the health requirements to be a part of network it will issue health certificate which will submitted to the direct access server for authentication.

Requirements for DirectAccess

To get direct access up and running in your network needs following,

1)    It must be active directory domain environment and must be running at least with windows 2008 R2 domain functional level.
2)    The server which will run directaccess server role must be added to the domain.
3)    DirectAccess clients must be running Windows 7 Enterprise, Ultimate versions or upper. It will not works with home or starter editions. All devices must be member of domain.
4)    DirectAccess server must be available for access via internet. It means it should be able to access via a public ip address.
5)    If network is not running with IPv6, transitioning technologies such as 6to4, Teredo, ISATAP should be available to use with direct access server.
6)    PKI (public key infrastructure) to issue certificates for devices authentication. Direct access server must have SSL installed and must contain valid FQDN which can be access from internet.

This is the end of Part 1 of series of articles which will explain the setup process of DirectAccess role. If you have any questions feel free to contact me on rebeladm@live.com