Some things to do after leaving Windows Server 2003 (from an Exchange perspective)

Today the Exchange Team blog posted an article about upgrading the Domain Functional (DFL) level of your Active Directory environment away from Windows Server 2003 and the fact that raising the level might have some impact on your Exchange servers (and other applications). It is possible that they might not be able to authenticate.

If you do run into issues after raising the DFL, the solution is either restarting the Kerberos Key Distribution Center service on all DC’s or restarting all DC’s in your forest after performing the upgrade.

Personally I haven’t encountered such issues, but I have to admit I don’t perform much Functional Level upgrades. However, it’s possible we will now encounter more of these issues as Windows Server 2003 is now near the end of it’s extended support lifecycle (July 14th 2015). After every Windows Server 2003 Domain Controller has been replaced you can upgrade your DFL and let’s not forget the Forest Functional level (FFL).

Up until today, the Windows Server 2003 functional level was something that I called the Golden Functional level. Supported by Exchange Server 2000 right up to Exchange Server 2013. It might very well be that an Exchange upgrade wasn’t a driver to raise either the DFL or FFL, but now that we are nearing the end of the 2003 lifecycle and those servers are replaced, we still might find some 2003 DFL/FFLs out there.

And while we are on the subject of Windows Server 2003, even though this is not Exchange related, the lifecycle is not the only current reason to replace your Windows Server 2003 servers. Due to security issues with how GPO’s are implemented, especially domain joined portable devices are at risk. The solution is a new feature called UNC Hardened Access, which has to be enabled on all servers and clients. But the impact of this change is so large, that it will not be implemented in Windows Server 2003. To summarize: if you still have 2003 DC’s every domain joined Windows device would still be at risk because UNC Hardened Access hasn’t been implemented on your DC’s. Read up on this subject here.

Note: It’s only required on the \\*\NETLOGON and \\*\SYSVOL UNCs to mitigate MS15-011. You’re not required to apply this to every UNC. I wouldn’t add the Exchange File Share Witness in it, for instance.

Leave a Reply

Your email address will not be published. Required fields are marked *