Solved

Server 2012 in 2003 Domain Functional Level with 2000 clients

Posted on 2015-02-02
12
224 Views
Last Modified: 2015-02-02
Hi guys,

We have a Domain with 2000, XP and 7 clients in at the minute, domain functional level is 2003. We introduced 2 2012 R2 DC's the other week and started to get KDC Errors in the event log (guessing these are from 2000 clients).

Do any of you guys have experience with 2000 clients talking to a 2012 Server even though Domain Functional Level is 2003?

Do we need to enable DES on the domain accounts?

Thanks a lot :)
0
Comment
Question by:Terellion
  • 6
  • 4
  • 2
12 Comments
 
LVL 3

Expert Comment

by:kola12
ID: 40583635
Windows client and Windows Server operating systems that are supported to join Windows Server 2012 domains

The following Windows client and Windows Server operating systems are supported for domain member computers with domain controllers that run Windows Server 2012:

    Client operating systems: Windows 8, Windows 7, Windows Vista, Windows XP

    Computers that run Windows 8 are also able to join domains that have domain controllers that run earlier version of Windows Server, including Windows Server 2003 or later. In this case however, some Windows 8 features may require additional configuration or may not be available. For more information about those features and other recommendations for managing Windows 8 clients in downlevel domains, see Running Windows 8 member computers in Windows Server 2003 domains.

    Server operating systems: Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 R2, Windows Server 2003
0
 

Author Comment

by:Terellion
ID: 40583642
Hi there, yep the domain functional level is 2003 but we have 2012 R2 Domain controllers joined. But Just need to know are there any issues with 2000 clients talking to it? Thanks
0
 
LVL 3

Expert Comment

by:kola12
ID: 40583652
Yes, in my scenario I can add workstation with W2k OS to domain but when I try log to domain (DC with W2k12 R2 OS) i get error "The trust relationship between this workstation and the primary domain failed".
Read this: https://technet.microsoft.com/en-us/library/hh994618.aspx    - part: Windows client and Windows Server operating systems that are supported to join Windows Server domains
0
 

Author Comment

by:Terellion
ID: 40583686
Hi there, i've seen a page that mentions the trust relationship. Thats only if your functional level is 2012. Ours is 2003,
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40583706
Active Directory Functional Levels have no affect on domain-joined workstations or member servers, they only dictate which version of Windows Server you can run as DCs. Source can be found here (first paragraph): https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx

What are the KDC errors saying specifically? Can you please post one of these error messages so we can investigate (remember to blank out any sensitive information)?
0
 

Author Comment

by:Terellion
ID: 40583721
Hi there, sample error taken from the domain controller.

While processing a TGS request for the target server krbtgt/DOMAIN.LOCAL, the account COMPA@DOMAIN.LOCAL did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18.  The accounts available etypes were 23  -133  -128  3  1.
0
 

Author Comment

by:Terellion
ID: 40583723
From what I had seen we need to enable DES on the domain accounts, just wanted to check if anyone had any experience with this?
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 500 total points
ID: 40583862
Yep looks like you'll need to enable DES on the affected workstations and your 2012 DCs as well.
0
 

Author Comment

by:Terellion
ID: 40583967
Can you do that at a global level do you know? Thanks
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 500 total points
ID: 40583974
Yep you can do it through Group Policy. This Microsoft Support KB should point you in the right direction: http://support.microsoft.com/kb/977321

The relevant Group Policy setting can be found towards the bottom of the Workaround section.
0
 

Author Comment

by:Terellion
ID: 40583976
Thats superb thank you so much for your help! :)
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40583979
No worries, always happy to help!
0

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Know what services you can and cannot, should and should not combine on your server.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now