Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 278
  • Last Modified:

Server 2012 in 2003 Domain Functional Level with 2000 clients

Hi guys,

We have a Domain with 2000, XP and 7 clients in at the minute, domain functional level is 2003. We introduced 2 2012 R2 DC's the other week and started to get KDC Errors in the event log (guessing these are from 2000 clients).

Do any of you guys have experience with 2000 clients talking to a 2012 Server even though Domain Functional Level is 2003?

Do we need to enable DES on the domain accounts?

Thanks a lot :)
0
Terellion
Asked:
Terellion
  • 6
  • 4
  • 2
2 Solutions
 
kola12Commented:
Windows client and Windows Server operating systems that are supported to join Windows Server 2012 domains

The following Windows client and Windows Server operating systems are supported for domain member computers with domain controllers that run Windows Server 2012:

    Client operating systems: Windows 8, Windows 7, Windows Vista, Windows XP

    Computers that run Windows 8 are also able to join domains that have domain controllers that run earlier version of Windows Server, including Windows Server 2003 or later. In this case however, some Windows 8 features may require additional configuration or may not be available. For more information about those features and other recommendations for managing Windows 8 clients in downlevel domains, see Running Windows 8 member computers in Windows Server 2003 domains.

    Server operating systems: Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 R2, Windows Server 2003
0
 
TerellionAuthor Commented:
Hi there, yep the domain functional level is 2003 but we have 2012 R2 Domain controllers joined. But Just need to know are there any issues with 2000 clients talking to it? Thanks
0
 
kola12Commented:
Yes, in my scenario I can add workstation with W2k OS to domain but when I try log to domain (DC with W2k12 R2 OS) i get error "The trust relationship between this workstation and the primary domain failed".
Read this: https://technet.microsoft.com/en-us/library/hh994618.aspx    - part: Windows client and Windows Server operating systems that are supported to join Windows Server domains
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
TerellionAuthor Commented:
Hi there, i've seen a page that mentions the trust relationship. Thats only if your functional level is 2012. Ours is 2003,
0
 
VB ITSCommented:
Active Directory Functional Levels have no affect on domain-joined workstations or member servers, they only dictate which version of Windows Server you can run as DCs. Source can be found here (first paragraph): https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx

What are the KDC errors saying specifically? Can you please post one of these error messages so we can investigate (remember to blank out any sensitive information)?
0
 
TerellionAuthor Commented:
Hi there, sample error taken from the domain controller.

While processing a TGS request for the target server krbtgt/DOMAIN.LOCAL, the account COMPA@DOMAIN.LOCAL did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18.  The accounts available etypes were 23  -133  -128  3  1.
0
 
TerellionAuthor Commented:
From what I had seen we need to enable DES on the domain accounts, just wanted to check if anyone had any experience with this?
0
 
VB ITSCommented:
Yep looks like you'll need to enable DES on the affected workstations and your 2012 DCs as well.
0
 
TerellionAuthor Commented:
Can you do that at a global level do you know? Thanks
0
 
VB ITSCommented:
Yep you can do it through Group Policy. This Microsoft Support KB should point you in the right direction: http://support.microsoft.com/kb/977321 

The relevant Group Policy setting can be found towards the bottom of the Workaround section.
0
 
TerellionAuthor Commented:
Thats superb thank you so much for your help! :)
0
 
VB ITSCommented:
No worries, always happy to help!
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 6
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now