Disable or Block to raise domain or forest functional level

  • 129 Views
  • Last Post 4 weeks ago
manasrrp6 posted this 4 weeks ago

 In an organization windows server has migrated from 2003 to 2012 but due to some constraint we have not raised any functional level to 2012 and waiting for some activity to complete. Till that time period we have to protect the Active Directory to raise any functional level will do by accidental action would take by System Administrator. Is there any trick or tips in registry so that the higher functional level will not appear in the drop down list on Active Directory Domains and Trusts and Active Directory Users and Computers.Regardscid:image002.gif@01D14ECD.C6D1DE80 

Order By: Standard | Newest | Votes
chriss3 posted this 4 weeks ago

If you don’t trust your administrators, don’t make them administrators 

show

manasrrp6 posted this 4 weeks ago

Hi Christoffer
I appriciate for your suggestion, but we cann,t do that.

show

kbatlive posted this 4 weeks ago

It isn't something that can be done accidently.


show

michael1 posted this 4 weeks ago

"There are seldom good technological solutions to behavioral problems." – Ed Crowley

 

Tell them “no”.

 

Anything one administrator can do, another administrator can un-do.

 

Christoffer gave you the only real answer.

 

show

manasrrp6 posted this 4 weeks ago

All your suggestion are acceptable. But kindly don't focus on Administrator's behaviour. I just want to know whether any twick there to stop raising FFL/DFL. Thats simple.


show

blizzard_mikec posted this 4 weeks ago

There are none, which is what they’re trying to tell you. Besides, raising the DFL/FFL should have no actual impact on downstream applications. So there’s little value in not doing it, and little value in preventing it unless you

plan on installing downlevel DCs.






Get Outlook for iOS








show

blizzard_mikec posted this 4 weeks ago

Here’s a blog post that goes into more detail:




https://blogs.technet.microsoft.com/askds/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level/




So ask yourself what your reasoning is to even prevent it from being done. It has no impact on downstream applications.






If you have an Admin who claims you absolutely should raise the DFL/FFL if you are capable of doing so (no downstream DCs), then this admin is 100% correct and probably should be elevated higher than any admin telling you that you

shouldn’t do it.






Get Outlook for iOS








show

Close