• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5434
  • Last Modified:

Server 2012 R2 DC Upgrade

I currently have 2 domain controllers running Server 2008 SP2 STD.

I would like to install a 3rd DC running Server 2012R2.

I have successfully prepared for this by doing the following on an existing DC...:

adprep /forestprep

adprep /domainprep

adprep /domainprep /gpprep

Once I run DCPROMO on the new Server 2012R2 installation I get a warning message abbout the crypto security...

Is the upgrade safe?

Anything I should be concerned about?

My goal is to demote one of the 2008 DCs and upgrade the other once this new one is in place and functioning properly.

Both my Domain and forest function level are Server 2003.

Please assist!!
0
BSModlin
Asked:
BSModlin
  • 2
1 Solution
 
David Johnson, CD, MVPOwnerCommented:
what was the warning?
0
 
MaheshArchitectCommented:
With windows 2012 R2 active directory, windows server 2003 DFL and FFL are deprecated and you will be notified about that

In future you need to consider upgrading functional levels to atlest 2008

Are you talking about that

Mahesh
0
 
BSModlinAuthor Commented:
Here is the message I get from the prerequisite check:

Windows Server 2012 R2 domain controllers have a default for the security setting named "Allow cryptography algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security channel sessions.

For more information about this setting, see Knowledge Base article 942564 (http://go.microsoft.com/fwlink/?LinkId=104751).

Should I be concerned...
0
 
MaheshArchitectCommented:
Beginning with Windows Server 2008, the operating system stopped using “legacy” cryptography algorithms for secure channel communications. By default, Windows NT 4.0 (and other applications/OS’s that use this algorithm) will not be able to establish a secure channel (or otherwise authenticate) with a Windows Server 2008, or higher, domain controller. There is a configuration setting/GPO that can reverse this behaviour – “Allow cryptography algorithms compatible with Windows NT 4.0”. Be warned; however, that even this configuration option will not allow Windows Server 2008 R2 and NT 4.0 to work across a trust relationship.

I don't think you are having windows NT4 client \ server machines
You don't need to worry about above setting
http://blogs.technet.com/b/askpfeplat/archive/2013/06/03/upgrade-active-directory-to-windows-server-2012-phase-1-assessment.aspx

Mahesh
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now