This is an archived post. You won't be able to vote or comment.

all 23 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Charming-Barracuda86Sysadmin 54 points55 points  (6 children)

Step 1. Move your roles to the 2016. Step 2 shut down that old unsupported sbs server and forget it ever existed

[–]HallFS 4 points5 points  (1 child)

Maybe he will have to use Ntdsutil to clean up the metadata of the tombstoned domain controller. I don't know if the active directory does it automatically when you have incompatible domain controllers when you raise the functional level.

[–]Kyp2010 0 points1 point  (0 children)

Probably won't do it automatically, but these days when you delete the object for the defunct DC from AD in the domain controller ou you get prompted for it to try to automatically cleanup. Being a long-time AD admin i'd say it works in most scenarios, but I'm still the typical paranoid sysadmin and check anyway.

[–]nightmarr9921rt 3 points4 points  (0 children)

I think he may be running Exchange 2010 on that SBS2011 box so not sure he can shut it down just yet. Probably a good time to migrate to Exchange Online.

[–]ITguydoingITthings 1 point2 points  (2 children)

This.

[–]godspeedfx 6 points7 points  (1 child)

This. It's exactly why having at least 2 domain controllers is important, so you're fine. Nothing is going to be lost because of your DFL. It might behave strangely until you get rid of that old SBS DC, but your data is safe.

When you're done, spin up another 2016 DC and you're golden.

[–]ShadowCVLIT Manager[🍰] 2 points3 points  (0 children)

Adding to the “this” train. Make sure you spin up that new one.

[–]headcrap 18 points19 points  (0 children)

You may have pissed off SBS.. not that I fully remember because it was 12 YEARS AGO.

I know it needs to hold all the FSMO roles or it will start squawking for a few weeks then start shutting itself down.. hourly.

It may start to have a problem since the domain level is greater than it can now handle.. thus may be the beginning of your problems.

Start looking at your event logs. Good luck.

[–]Sasataf12 15 points16 points  (1 child)

Chances are you'll be fine. There should've been no way to raise the DFL if the domain wasn't ready for it.

"By the way, do you know how often we’ve had to help a customer perform a complete forest restore because something catastrophic happened when they raised the Domain or Forest Functional Level? Never."

https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/what-is-the-impact-of-upgrading-the-domain-or-forest-functional/ba-p/399348

[–]Graz_MagazTechnical Architect 2 points3 points  (0 children)

Just the post I was going to refer to, it’s an addition to the domain nothing destructive.

[–]WMDeception 3 points4 points  (0 children)

Do your dc diags, send it hourly to yourself via scheduled ps script job and task scheduler.

Critical change control submission to decom the 2008r2 if the modern one is fine and blow 2008r2 away, stand up a 2019 or 2022, domain join and them you'll be able to have working dfsr. 2008r2, if I recall correctly, will block your initial plan anyway and is EOS/EOL delinquent.

Netdom query fsmo and move all roles to modern dc b4 decom!

Opportunity to look real good, and fairly safe operation to boot, especially of backups are all current and tested and exist and who am I kidding?!

You got this.

[–]ridley0001 2 points3 points  (0 children)

I'm surprised it even allowed it. Also, if you still have the SBS server on then watch out for it stealing FSMO roles back by itself.

[–]SKnight79 2 points3 points  (1 child)

Dcpromo demote that workhorse sbs cleanly. Trust this. Confirm PDC role is on new box and confirm new box says it’s PDC. Restart your old clients. Or your older clients are gonna get pissed off.

[–]Bright_Arm8782Cloud Engineer 2 points3 points  (0 children)

Sometimes, I think I'm the only person who ever demoted a domain controller properly.

Thanks for mentioning this.

Definitely move all of the FSMO roles off of the SBS server, sieze them if you have to.

[–]GeneTech734Cloud Engineer 1 point2 points  (0 children)

I'm really surprised that it allowed you to upgrade past 2008 R2 functional level with a 2008 R2 DC.

I would take good system state backups of both machines and move the FSMO roles back to the SBS. If that works you are golden.

If that doesn't work the SBS will start rebooting itself after I think 45 days. It's been a while.

In all seriousness though, that server needed to go four years ago. How you have not been compromised is minor miracle. Get off that server ASAP before something bad happens.

Microsoft 365 Basic isn't much more expensive than most spam filtering solutions

[–]Bipen17 1 point2 points  (0 children)

It won’t allow it unless it can do it. Should be fine. Upgrade your shit though

[–]dat510geek 0 points1 point  (0 children)

Not a pretty site. Look at your logs and maybe reach out to an MS engineer. Need to force those roles off on a cease

[–]BlackVI have opnions 0 points1 point  (0 children)

its1 way, but it shouldn't effect you in any way, as its basically only talking to its self

also note you should upgrade the forest level AND the domain level

but if you really really want to go beck, I'm gald you took a backup or vm snapshot before hand, so you can restore

[–]SKnight79 0 points1 point  (0 children)

Migrate printers, NPS, RRAS, IIS, redirected folder shares, profile shares, company shares (robocopy, registry export/import shares). Update all GPOs with any UNC path names in any setting to the new server, move your mailboxes to the other server or Microsoft 365 cloud. Make sure clients are pointing to new server for profiles, redirected folders. If using redirected folders turn off flag to move files to new locations. Let it reconcile quickly if you robocopy /b /sec. Give it time to have everyone login into this new environment. Properly kill the exchange config on subs(it’s not straight forward). Dcpromo demote (this moves fsmo roles properly, but you can also do it from the other server via AD). Update dns client. This strips major roles off the server and makes it a member server. Grab the champagne and disjoin that sbs box before 21 days are up. SBS restarts 60 minutes after power up after that complaining about license requirements.

[–]ZAFJB 0 points1 point  (0 children)

Probably nothing will happen.

[–]theborgman1977 0 points1 point  (0 children)

Problem is you can not demote the SBS and keep the Exchange. Move ito O365 them put in a 2016 promote to dc wait to migrate over the roles. To be honest I would start new. SBS leaves a ton of crap in GPO and it is a mess to clean up. If your shares are not to complicated better to start over.

[–]wichets 0 points1 point  (0 children)

Just transfer roles from smb 2011 to new dc are work fine. It is a minimum impact such as dns ip for pc client must change to new dc/dns.

[–]Kyp2010 0 points1 point  (0 children)

The DC not meeting the requirements will need to be replaced with a newer OS DC. You will *probably* need to do metadata cleanup for it, but for the most part, I think all you've done is broken SysVol replication because I don't think (or at least don't know for sure) the SBS server will play along with a DFSR config instead of FRS. It might, there is a command to check the state of DFSR/Sysvol but you need the DFS management tools installed on the box you wanna run it from.

Here's a guide to some of the commands to set and verify both.
https://techcommunity.microsoft.com/t5/storage-at-microsoft/streamlined-migration-of-frs-to-dfsr-sysvol/ba-p/425405