• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 167
  • Last Modified:

(capt) Windows 2003 Server AD upgrade to Windows 2012


We have an old AD environment consisting of various servers for multiple purposes:
2x Domaincontroller (AD01 and AD02)
2x FileServer
1 MS VPN Server (VP01)
1 Mailserver running Lotus Notes

I would like to minimise the amount of servers, and have already consolidated the Fileservers. Now that the 2003 Server is EOL I want to upgrade the Domaincontrollers and decommission the VPN server.

The VPN server VP01 acts as a gateway for the Users and provides the logging of Routing & Remote Access functionality. The certificates for the VPN clients are handled by the Backup DC (AD02)

And now for the very broad and general Q.....How do I upgrade the two DCs to Windows 12R2 and configure VPN? Will my other 2003 servers that I am not upgrading talk to the new servers no problem?

I appreciate that this is a very non detailed question, but as I don't even know where to start, I thought this could be an iterative process...

3 Solutions
Muhammad MullaCommented:
A good place to start is making an audit of all the applications in your environment and checking that they will be compatible. Update any apps that might need an update.

This series of blog posts is quite good: http://blogs.technet.com/b/askpfeplat/archive/2013/06/03/upgrade-active-directory-to-windows-server-2012-phase-1-assessment.aspx
Will SzymkowskiSenior Solution ArchitectCommented:
How do I upgrade the two DCs to Windows 12R2 and configure VPN? Will my other 2003 servers that I am not upgrading talk to the new servers no problem?
You will not be able to do an in-place upgrade for your domain controllers. You will have to spin up new 2012 servers, and promote them as Domain Controllers in your environment.

From there 2003 and 2012 DC's will talk to each other (replicate etc) you will then need to transfer the FSMO roles to one of the 2012 servers. The next step would be configure your PDC on the 2012 server as the authoritative time source, and point your DHCP clients to the new 2012 DC's for DNS.

From there you would then ensure replication is working properly, then demote the 2003 domain controllers.

Commands to verify replicaiton
repadmin /replsum
repadmin /showrepl
repadmin /birdgeheads
dcdiag /v

Setup Authoritative Time Server for PDC

Time Server Hierarchy explained.

In addition to the comments by Will, you also want to ensure that your Domain and Forest Functional levels are set to Windows Server 2003.

Understanding Active Directory Domain Services (AD DS) Functional Levels

You also may have to modify the component services on the 2003 DC that you are performing the ADPREP on.


Finally, Kerberos authentication can fail intermittently (Microsoft has a hotfix for this issue) -


captainAuthor Commented:
Thanks so far, very useful.
captainAuthor Commented:
Thanks. This has been postponed for a couple of months.

Very helpful suggestions
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now