Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Server 2012 in 2003 Domain Functional Level with 2000 clients

Posted on 2015-02-02
12
Medium Priority
?
274 Views
Last Modified: 2015-02-02
Hi guys,

We have a Domain with 2000, XP and 7 clients in at the minute, domain functional level is 2003. We introduced 2 2012 R2 DC's the other week and started to get KDC Errors in the event log (guessing these are from 2000 clients).

Do any of you guys have experience with 2000 clients talking to a 2012 Server even though Domain Functional Level is 2003?

Do we need to enable DES on the domain accounts?

Thanks a lot :)
0
Comment
Question by:Terellion
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
12 Comments
 
LVL 3

Expert Comment

by:kola12
ID: 40583635
Windows client and Windows Server operating systems that are supported to join Windows Server 2012 domains

The following Windows client and Windows Server operating systems are supported for domain member computers with domain controllers that run Windows Server 2012:

    Client operating systems: Windows 8, Windows 7, Windows Vista, Windows XP

    Computers that run Windows 8 are also able to join domains that have domain controllers that run earlier version of Windows Server, including Windows Server 2003 or later. In this case however, some Windows 8 features may require additional configuration or may not be available. For more information about those features and other recommendations for managing Windows 8 clients in downlevel domains, see Running Windows 8 member computers in Windows Server 2003 domains.

    Server operating systems: Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 R2, Windows Server 2003
0
 

Author Comment

by:Terellion
ID: 40583642
Hi there, yep the domain functional level is 2003 but we have 2012 R2 Domain controllers joined. But Just need to know are there any issues with 2000 clients talking to it? Thanks
0
 
LVL 3

Expert Comment

by:kola12
ID: 40583652
Yes, in my scenario I can add workstation with W2k OS to domain but when I try log to domain (DC with W2k12 R2 OS) i get error "The trust relationship between this workstation and the primary domain failed".
Read this: https://technet.microsoft.com/en-us/library/hh994618.aspx    - part: Windows client and Windows Server operating systems that are supported to join Windows Server domains
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:Terellion
ID: 40583686
Hi there, i've seen a page that mentions the trust relationship. Thats only if your functional level is 2012. Ours is 2003,
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40583706
Active Directory Functional Levels have no affect on domain-joined workstations or member servers, they only dictate which version of Windows Server you can run as DCs. Source can be found here (first paragraph): https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx

What are the KDC errors saying specifically? Can you please post one of these error messages so we can investigate (remember to blank out any sensitive information)?
0
 

Author Comment

by:Terellion
ID: 40583721
Hi there, sample error taken from the domain controller.

While processing a TGS request for the target server krbtgt/DOMAIN.LOCAL, the account COMPA@DOMAIN.LOCAL did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18.  The accounts available etypes were 23  -133  -128  3  1.
0
 

Author Comment

by:Terellion
ID: 40583723
From what I had seen we need to enable DES on the domain accounts, just wanted to check if anyone had any experience with this?
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 2000 total points
ID: 40583862
Yep looks like you'll need to enable DES on the affected workstations and your 2012 DCs as well.
0
 

Author Comment

by:Terellion
ID: 40583967
Can you do that at a global level do you know? Thanks
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 2000 total points
ID: 40583974
Yep you can do it through Group Policy. This Microsoft Support KB should point you in the right direction: http://support.microsoft.com/kb/977321 

The relevant Group Policy setting can be found towards the bottom of the Workaround section.
0
 

Author Comment

by:Terellion
ID: 40583976
Thats superb thank you so much for your help! :)
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40583979
No worries, always happy to help!
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

661 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question