?
Solved

Windows Server 2003 R2 to Server  2012 R2 Domain Controller Upgrade

Posted on 2016-10-22
9
Medium Priority
?
225 Views
Last Modified: 2016-11-13
Hello,

I have a question regarding domain functionality.  I have completed upgrading my domain from Server 2003 to  2012 R2.  At the moment, the domain functional level is still 2003.  MSPDC1 is server 2003 and MSPDC2 is server 2012 R2.     In the coming months, I will be running DC promo on the 2003 domain controller.   I will then reformat and install a fresh copy of server 2012R2 on MSPDC1 and this will be the additional domain controller running server 2012R2.    At the moment, does it cause any issue having a 2003 domain controller and 2012 domain controller existing together?   Everything is working and in Sync.
0
Comment
Question by:stressedout2004
  • 2
  • 2
  • 2
  • +3
9 Comments
 
LVL 97

Accepted Solution

by:
Lee W, MVP earned 1000 total points
ID: 41855739
At the moment, I know of no known issues.  HOWEVER, Server 2003 is NO LONGER SUPPORTED.  That means, among other things, when Microsoft does an update to Windows Server 2012, they are likely NOT testing it with 2003, so any new updates to Windows 2012 COULD break connectivity to the 2003 server.  So it works today... it might not work tomorrow and you can't be certain it wasn't an update that broke it.  Really, you need to remove the 2003 server ASAP.
0
 
LVL 7

Expert Comment

by:No More
ID: 41855767
While it is on forest/domain level 2003 you will get no problems, as this is the minimal configuration for server 2003r2 and 2012r2 to coexist.

You should plan to transfer all FSMO roles to new DC and make sure you transfer all of them, before you do DCPROMO

After you will level up forest and domain level,
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 41856222
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 7

Expert Comment

by:No More
ID: 41856236
But he has 2003 R2 not 2003 so your link is obsolete
0
 
LVL 1

Assisted Solution

by:kf4ape
kf4ape earned 1000 total points
ID: 41856506
1) make sure both boxes are patched to current before adding the 2012r2 node
2) check to see if node 1 has cert services or any other items/services hosted
3) add the second server to your environment
4) make sure no clients are pointing there for DNS (this could take some WMI scripts, powershell, wireshark or all 3)
5) move your FSMO rolls to the other box one at a time
6) wait a bit...dont rush a decom, some one maybe tapping into it for LDAP with copiers, apps or who knows what
7) possible scream test...we did quite a few of these, ones we didnt couldnt easily identify who was talking to it, we powered down for 2-3 weeks...if they are VMs, its easy to fix, just power back on
8) dcpromo and AD cleanup...post dcpromo, make sure records in DNS, NTDSUTIL are all correct
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 41856520
I always use the existing IP addresses of DNS servers. At my current employer I have replaced the DCs at least 3 times, and even moved which location they're in, without ever needing to touch a client, other server, printer, copier, or other random device. :)
0
 
LVL 1

Expert Comment

by:kf4ape
ID: 41856522
Usually I replace also (about 75%), but in some case the ip/subnet was being retired...
0
 
LVL 35

Expert Comment

by:it_saige
ID: 41857144
@David Fiala - The link applies to Windows Server 2012 R2 and not any specific version of Windows Server 2003.  As explained in the TID, the issue is caused because of a mismatch in encryption types (AES on Server 2012 R2) and (DES on Server 2003).
When a Windows 2012 R2 domain controller is added in an environment where Windows Server 2003 domain controllers are present, there is a mismatch in the encryption types that are supported on the KDCs and used for salting. Windows Server 2003 domain controllers do not support AES and Windows Server 2012 R2 domain controllers do not support Data Encryption Standard (DES) for salting. - Source

@stressedout2004 - Along with what else has been stated here, you need to be aware of the possibility of a corrupted FRS database (a common occurance for Windows Server 2003 and Windows Server 2008).  Look for Event ID 13568 on your 2003 Server which indicates that your FRS Database is in a JRNL_WRAP_ERROR state.

For more information - https:/Q_28946540.html#a41601909

-saige-
0
 
LVL 9

Author Closing Comment

by:stressedout2004
ID: 41885790
Thank you.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question