A few things you should know about raising the DFL (and/or) FFL to Windows Server 2008 R2



AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!

We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!

Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.

If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.

NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!

As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!


Hello Greg Jaworski here again to briefly talk about two issues when raising the domain functional level (and/or) the forest functional level to Windows Server 2008 R2. While we have loads of documentation on this and numerous blogs there are a few issues that customers have hit that are a little harder to find.

The first one was first documented (to my knowledge) by Brian Puhl who is a Microsoft employee, but this was not blogged on one of our sites. The link to that blog is below (it is external so the usual warnings apply). I have provided some details below.


So when you raise the domain functional level to Windows Server 2008 or Windows Server 2008 R2 from Windows Server 2003 or gasp Windows 2000 the krbtgt password will be changed. Some TechNet articles have stated that the krbtgt password is periodically changed but that is not true. There is obvious concern that this password does not change, but this password is very complex and this account is also disabled by default. So back to the topic at hand this password change should not cause issues since we remember the previous password. I have not seen any issues with Windows systems, but I have seen issues with Unix/Linux systems that use 3rd party AD integration software. In that case simply recycling the daemon fixed the issue since this caused the application to retrieve new Kerberos tickets. This is one of those “it should not break anything” but it should be documented as part of raising the DFL to Windows Server 2008 so that you can be prepared if the unexpected does happen.

The second one is related to the .NET framework prior to version 4.0. Versions of .NET prior to .NET 4.0 do not support the DomainMode enumeration function against a Windows Server 2008 R2 domain or forest. Now not being a developer I have no idea what that function does (well I could guess 🙂 ), but if you have .NET applications that use Active Directory you will want to test and make sure these work, and apply this hotfix if needed. (You did test….right…right)

2260240                FIX: “The requested mode is invalid” error message when you run a managed application that uses the .NET Framework 3.5 SP1 or an earlier version to access a Windows Server 2008 R2 domain or forest



What is the Impact of Upgrading the Domain or Forest Functional Level?



Understanding Active Directory Domain Services (AD DS) Functional Levels



How to raise Active Directory domain and forest functional levels



FIX: “The requested mode is invalid” error message when you run a managed application that uses the .NET Framework 3.5 SP1 or an earlier version to access a Windows Server 2008 R2 domain or forest



Replication Version Number for your KrbTGT account password?



W2K3 to W2K8 and W2K8R2 Active Directory Upgrade Considerations


Upgrade Domain Controllers: Microsoft Support Quick Start for Adding Windows Server 2008 or Windows Server 2008 R2 Domain Controllers to Existing Domains



Greg Jaworski