Tech or Treat! Write an article about your scariest tech disaster to win gadgets!Learn more


Windows Server 2003 R2 to Server  2012 R2 Domain Controller Upgrade

Posted on 2016-10-22
Medium Priority
Last Modified: 2016-11-13

I have a question regarding domain functionality.  I have completed upgrading my domain from Server 2003 to  2012 R2.  At the moment, the domain functional level is still 2003.  MSPDC1 is server 2003 and MSPDC2 is server 2012 R2.     In the coming months, I will be running DC promo on the 2003 domain controller.   I will then reformat and install a fresh copy of server 2012R2 on MSPDC1 and this will be the additional domain controller running server 2012R2.    At the moment, does it cause any issue having a 2003 domain controller and 2012 domain controller existing together?   Everything is working and in Sync.
Question by:stressedout2004
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +3
LVL 96

Accepted Solution

Lee W, MVP earned 1000 total points
ID: 41855739
At the moment, I know of no known issues.  HOWEVER, Server 2003 is NO LONGER SUPPORTED.  That means, among other things, when Microsoft does an update to Windows Server 2012, they are likely NOT testing it with 2003, so any new updates to Windows 2012 COULD break connectivity to the 2003 server.  So it works today... it might not work tomorrow and you can't be certain it wasn't an update that broke it.  Really, you need to remove the 2003 server ASAP.

Expert Comment

by:No More
ID: 41855767
While it is on forest/domain level 2003 you will get no problems, as this is the minimal configuration for server 2003r2 and 2012r2 to coexist.

You should plan to transfer all FSMO roles to new DC and make sure you transfer all of them, before you do DCPROMO

After you will level up forest and domain level,
LVL 42

Expert Comment

ID: 41856222
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.


Expert Comment

by:No More
ID: 41856236
But he has 2003 R2 not 2003 so your link is obsolete

Assisted Solution

kf4ape earned 1000 total points
ID: 41856506
1) make sure both boxes are patched to current before adding the 2012r2 node
2) check to see if node 1 has cert services or any other items/services hosted
3) add the second server to your environment
4) make sure no clients are pointing there for DNS (this could take some WMI scripts, powershell, wireshark or all 3)
5) move your FSMO rolls to the other box one at a time
6) wait a bit...dont rush a decom, some one maybe tapping into it for LDAP with copiers, apps or who knows what
7) possible scream test...we did quite a few of these, ones we didnt couldnt easily identify who was talking to it, we powered down for 2-3 weeks...if they are VMs, its easy to fix, just power back on
8) dcpromo and AD dcpromo, make sure records in DNS, NTDSUTIL are all correct
LVL 42

Expert Comment

ID: 41856520
I always use the existing IP addresses of DNS servers. At my current employer I have replaced the DCs at least 3 times, and even moved which location they're in, without ever needing to touch a client, other server, printer, copier, or other random device. :)

Expert Comment

ID: 41856522
Usually I replace also (about 75%), but in some case the ip/subnet was being retired...
LVL 34

Expert Comment

ID: 41857144
@David Fiala - The link applies to Windows Server 2012 R2 and not any specific version of Windows Server 2003.  As explained in the TID, the issue is caused because of a mismatch in encryption types (AES on Server 2012 R2) and (DES on Server 2003).
When a Windows 2012 R2 domain controller is added in an environment where Windows Server 2003 domain controllers are present, there is a mismatch in the encryption types that are supported on the KDCs and used for salting. Windows Server 2003 domain controllers do not support AES and Windows Server 2012 R2 domain controllers do not support Data Encryption Standard (DES) for salting. - Source

@stressedout2004 - Along with what else has been stated here, you need to be aware of the possibility of a corrupted FRS database (a common occurance for Windows Server 2003 and Windows Server 2008).  Look for Event ID 13568 on your 2003 Server which indicates that your FRS Database is in a JRNL_WRAP_ERROR state.

For more information - https:/Q_28946540.html#a41601909


Author Closing Comment

ID: 41885790
Thank you.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

647 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question