Upgrading Domain Controller

Hi Guys,

We recently upgraded our Windows primary domain controller to Windows Server 2012 R2 standard.
The roles were transferred, RID, PDC and Infrastructure.
All points to the new server.

All our domain controllers are GC servers.

The domain function level still shows as Windows Server 2003 (old DC), as does the forest function level.

The problem is that the old domain controller still overwrites domain functions.
For example:  It replicates it's time for the domain and overwrites security policies set on the new domain controller.  

Users authenticate to the new domain controller whilst the old PDC is switched off, although, when the old PDF is on, users still authenticate against the old PDC.

We would like to keep the old domain controller as backup, but the new domain controller should be authoritative.
Rupert EghardtProgrammerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Seth SimmonsSr. Systems AdministratorCommented:
Users will authenticate with the first domain controller available in the AD site.  Just because the old server responds first doesn't necessarily indicate an issue.  With that box off, users are authenticating against a different domain controller without issue is perfectly acceptable.

As a sanity check, you could do netdiag on those boxes to check for any failures though what you are describing doesn't indicate a problem.  This is part of the multi-master model.  There is no primary and secondary (or backup) as in the NT days.
Rupert EghardtProgrammerAuthor Commented:
Thanks Seth,

Why would security policies (made on the new server whilst the old server is off), revert back once the old server is brought online again?
Seth SimmonsSr. Systems AdministratorCommented:
what is changing?
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Rupert EghardtProgrammerAuthor Commented:
For example:

Switching on the Account Lockout Policy, updating the Minimum and Maximum Password Age, also updated-server time will revert back upon switching on the old PDC.
Joshua GrantomSenior Systems AdministratorCommented:
It sounds like the new server did not take over all of the FSMO Roles. Have you verified that all roles are held by the new server?
Rupert EghardtProgrammerAuthor Commented:
I verified and all roles are pointing to the new PDC in Windows.
I restart both servers and for some reason the security / password policies are grayed out for changes on the new server.

It there a command that I can run to verify that all roles are held by the new DC?
Seth SimmonsSr. Systems AdministratorCommented:
It there a command that I can run to verify that all roles are held by the new DC?

from an elevated command prompt - netdom query fsmo

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.