Solved

Windows Server 2003 R2 to Server  2012 R2 Domain Controller Upgrade

Posted on 2016-10-22
9
84 Views
Last Modified: 2016-11-13
Hello,

I have a question regarding domain functionality.  I have completed upgrading my domain from Server 2003 to  2012 R2.  At the moment, the domain functional level is still 2003.  MSPDC1 is server 2003 and MSPDC2 is server 2012 R2.     In the coming months, I will be running DC promo on the 2003 domain controller.   I will then reformat and install a fresh copy of server 2012R2 on MSPDC1 and this will be the additional domain controller running server 2012R2.    At the moment, does it cause any issue having a 2003 domain controller and 2012 domain controller existing together?   Everything is working and in Sync.
0
Comment
Question by:stressedout2004
  • 2
  • 2
  • 2
  • +3
9 Comments
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 250 total points
ID: 41855739
At the moment, I know of no known issues.  HOWEVER, Server 2003 is NO LONGER SUPPORTED.  That means, among other things, when Microsoft does an update to Windows Server 2012, they are likely NOT testing it with 2003, so any new updates to Windows 2012 COULD break connectivity to the 2003 server.  So it works today... it might not work tomorrow and you can't be certain it wasn't an update that broke it.  Really, you need to remove the 2003 server ASAP.
0
 
LVL 6

Expert Comment

by:No More
ID: 41855767
While it is on forest/domain level 2003 you will get no problems, as this is the minimal configuration for server 2003r2 and 2012r2 to coexist.

You should plan to transfer all FSMO roles to new DC and make sure you transfer all of them, before you do DCPROMO

After you will level up forest and domain level,
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 41856222
0
 
LVL 6

Expert Comment

by:No More
ID: 41856236
But he has 2003 R2 not 2003 so your link is obsolete
0
 
LVL 1

Assisted Solution

by:kf4ape
kf4ape earned 250 total points
ID: 41856506
1) make sure both boxes are patched to current before adding the 2012r2 node
2) check to see if node 1 has cert services or any other items/services hosted
3) add the second server to your environment
4) make sure no clients are pointing there for DNS (this could take some WMI scripts, powershell, wireshark or all 3)
5) move your FSMO rolls to the other box one at a time
6) wait a bit...dont rush a decom, some one maybe tapping into it for LDAP with copiers, apps or who knows what
7) possible scream test...we did quite a few of these, ones we didnt couldnt easily identify who was talking to it, we powered down for 2-3 weeks...if they are VMs, its easy to fix, just power back on
8) dcpromo and AD cleanup...post dcpromo, make sure records in DNS, NTDSUTIL are all correct
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 41856520
I always use the existing IP addresses of DNS servers. At my current employer I have replaced the DCs at least 3 times, and even moved which location they're in, without ever needing to touch a client, other server, printer, copier, or other random device. :)
0
 
LVL 1

Expert Comment

by:kf4ape
ID: 41856522
Usually I replace also (about 75%), but in some case the ip/subnet was being retired...
0
 
LVL 32

Expert Comment

by:it_saige
ID: 41857144
@David Fiala - The link applies to Windows Server 2012 R2 and not any specific version of Windows Server 2003.  As explained in the TID, the issue is caused because of a mismatch in encryption types (AES on Server 2012 R2) and (DES on Server 2003).
When a Windows 2012 R2 domain controller is added in an environment where Windows Server 2003 domain controllers are present, there is a mismatch in the encryption types that are supported on the KDCs and used for salting. Windows Server 2003 domain controllers do not support AES and Windows Server 2012 R2 domain controllers do not support Data Encryption Standard (DES) for salting. - Source

@stressedout2004 - Along with what else has been stated here, you need to be aware of the possibility of a corrupted FRS database (a common occurance for Windows Server 2003 and Windows Server 2008).  Look for Event ID 13568 on your 2003 Server which indicates that your FRS Database is in a JRNL_WRAP_ERROR state.

For more information - https:/Q_28946540.html#a41601909

-saige-
0
 
LVL 9

Author Closing Comment

by:stressedout2004
ID: 41885790
Thank you.
0

Join & Write a Comment

The reason that corporations and businesses use Windows servers is because it supports custom modifications to adapt to the business and what it needs. Most individual users won’t need such powerful options. Here I’ll explain how you can enable Wind…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now