Windows Server 2003 R2 to Server  2012 R2 Domain Controller Upgrade

Posted on 2016-10-22
Last Modified: 2016-11-13

I have a question regarding domain functionality.  I have completed upgrading my domain from Server 2003 to  2012 R2.  At the moment, the domain functional level is still 2003.  MSPDC1 is server 2003 and MSPDC2 is server 2012 R2.     In the coming months, I will be running DC promo on the 2003 domain controller.   I will then reformat and install a fresh copy of server 2012R2 on MSPDC1 and this will be the additional domain controller running server 2012R2.    At the moment, does it cause any issue having a 2003 domain controller and 2012 domain controller existing together?   Everything is working and in Sync.
Question by:stressedout2004
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +3
LVL 95

Accepted Solution

Lee W, MVP earned 250 total points
ID: 41855739
At the moment, I know of no known issues.  HOWEVER, Server 2003 is NO LONGER SUPPORTED.  That means, among other things, when Microsoft does an update to Windows Server 2012, they are likely NOT testing it with 2003, so any new updates to Windows 2012 COULD break connectivity to the 2003 server.  So it works today... it might not work tomorrow and you can't be certain it wasn't an update that broke it.  Really, you need to remove the 2003 server ASAP.

Expert Comment

by:No More
ID: 41855767
While it is on forest/domain level 2003 you will get no problems, as this is the minimal configuration for server 2003r2 and 2012r2 to coexist.

You should plan to transfer all FSMO roles to new DC and make sure you transfer all of them, before you do DCPROMO

After you will level up forest and domain level,
LVL 42

Expert Comment

ID: 41856222
How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.


Expert Comment

by:No More
ID: 41856236
But he has 2003 R2 not 2003 so your link is obsolete

Assisted Solution

kf4ape earned 250 total points
ID: 41856506
1) make sure both boxes are patched to current before adding the 2012r2 node
2) check to see if node 1 has cert services or any other items/services hosted
3) add the second server to your environment
4) make sure no clients are pointing there for DNS (this could take some WMI scripts, powershell, wireshark or all 3)
5) move your FSMO rolls to the other box one at a time
6) wait a bit...dont rush a decom, some one maybe tapping into it for LDAP with copiers, apps or who knows what
7) possible scream test...we did quite a few of these, ones we didnt couldnt easily identify who was talking to it, we powered down for 2-3 weeks...if they are VMs, its easy to fix, just power back on
8) dcpromo and AD dcpromo, make sure records in DNS, NTDSUTIL are all correct
LVL 42

Expert Comment

ID: 41856520
I always use the existing IP addresses of DNS servers. At my current employer I have replaced the DCs at least 3 times, and even moved which location they're in, without ever needing to touch a client, other server, printer, copier, or other random device. :)

Expert Comment

ID: 41856522
Usually I replace also (about 75%), but in some case the ip/subnet was being retired...
LVL 33

Expert Comment

ID: 41857144
@David Fiala - The link applies to Windows Server 2012 R2 and not any specific version of Windows Server 2003.  As explained in the TID, the issue is caused because of a mismatch in encryption types (AES on Server 2012 R2) and (DES on Server 2003).
When a Windows 2012 R2 domain controller is added in an environment where Windows Server 2003 domain controllers are present, there is a mismatch in the encryption types that are supported on the KDCs and used for salting. Windows Server 2003 domain controllers do not support AES and Windows Server 2012 R2 domain controllers do not support Data Encryption Standard (DES) for salting. - Source

@stressedout2004 - Along with what else has been stated here, you need to be aware of the possibility of a corrupted FRS database (a common occurance for Windows Server 2003 and Windows Server 2008).  Look for Event ID 13568 on your 2003 Server which indicates that your FRS Database is in a JRNL_WRAP_ERROR state.

For more information - https:/Q_28946540.html#a41601909


Author Closing Comment

ID: 41885790
Thank you.

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question