<div>
Hi Triniyas, Before raising. I recommend to migrate FRS to DFSR <a href="https://techcommunity.microsoft.com/t5/storage-at-microsoft/streamlined-migration-of-frs-to-dfsr-sysvol/ba-p/425405" rel="ugc">https://techcommunity.microsoft.com/t5/storage-at-microsoft/streamlined-migration-of-frs-to-dfsr-sysvol/ba-p/425405</a> Please read this as well. <a href="https://docs.microsoft.com/en-us/archive/blogs/askds/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level" rel="ugc">https://docs.microsoft.com/en-us/archive/blogs/askds/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level</a> --&gt;I read that ntlm is no longer used. Is that true and what issues does that bring. No. This is not true. 
</div>

<div>
NTLM is probably still used if you have migrated installing 2012 R2 DC in the existing domain. =&gt; The old parameters (for NTLM, for example) stay active until you change them. If you fully disable NTLM, some old workstations or servers could have some little problems. You probably can update the level of functionality without any problem. Very few softwares could be really incompatible with these levels. Exchange, in your case, is not a problem. Just verify for other main softwares that you may be using. 
</div>

<div>
I can see that the frs to dfsr would be helpfull.. Could you explain to me what the next really means to me &nbsp;: The KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and&nbsp;Fail unarmored authentication requests) that require Windows Server 2012 domain functional level. &nbsp;also &nbsp; 2012r2 upgrade &nbsp;what issues if any : <ul><li>DC-side protections for Protected Users. Protected Users authenticating to a Windows Server 2012 R2 domain can no longer:</li><li>Authenticate with NTLM authentication</li><li>Use DES or RC4 cipher suites in Kerberos pre-authentication</li><li>Be delegated with unconstrained or constrained delegation</li><li>Renew user tickets (TGTs) beyond the initial 4 hour lifetime</li><li>Authentication Policies New forest-based Active Directory policies which can be applied to accounts in Windows Server 2012 R2 domains to control which hosts an account can sign-on from and apply access control conditions for authentication to services running as an account.</li><li>Authentication Policy Silos New forest-based Active Directory object, which can create a relationship between user, managed service and computer, accounts to be used to classify accounts for authentication policies or for authentication isolation.</li></ul> I really appreciate all your input in advance 
</div>

<div>
Raising domain and forest functional levels is an easy task and I've never seen or heard of anyone having issues after doing it. I've done it dozen times. I would have zero concerns about it. Just do it. New functional levels bring new features and security, that's why you might want to raise the level. <blockquote>Could you explain to me what the next really means to me: The KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that require Windows Server 2012 domain functional level.</blockquote>Here is the link that explains it <a href="https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831747(v=ws.11)" rel="ugc">https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831747(v=ws.11)</a> 
</div>

<div>
ok.. i am ok with the kerbros ask.. but can someone tell me what i am most concerned about : for promotion to 2012r2 forest and domain issue: &nbsp;Protected Users authenticating to a Windows Server 2012 R2 domain &nbsp;<ul><li>&nbsp;Can no longer: Authenticate with NTLM authentication</li></ul>does this effect my exchange webmail or users.. whatissues can i really expect to see .............?? &nbsp;
</div>

<div>
Is there any reason why no one is answering my previous last inquiry
</div>

<div>
<blockquote>Protected Users authenticating to a Windows Server 2012 R2 domain &nbsp;</blockquote>Only members of the Protected group, that should be administrators could be impacted. In fact, they will be still able to connect to Windows 2012 R2 servers. <blockquote><ul><li>&nbsp;Can no longer: Authenticate with NTLM authentication</li></ul>does this effect my exchange webmail or users.. whatissues can i really expect to see .............??&nbsp;</blockquote>No, all users that are on modern workstations will use Kerberos and will connect. Exchange Webmail access and authentication should work as usually, but depends of other soft/hard used (ReverseProxy, etc...). Potentially, some (old) applications/servers could be impacted indirectly. Each server/application can accept or not different authentications. 
</div>

<div>
thank you for all the answers .. I just ran across this and i didnt want to byte myself... In previuos replys..i was suggested to: Before raising. I recommend to migrate FRS to DFSR <a href="https://techcommunity.microsoft.com/t5/storage-at-microsoft/streamlined-migration-of-frs-to-dfsr-sysvol/ba-p/425405" rel="ugc">https://techcommunity.microsoft.com/t5/storage-at-microsoft/streamlined-migration-of-frs-to-dfsr-sysvol/ba-p/425405</a>&nbsp; i have started this process.. BUT.. no issues so far.. PS C:\Windows\system32&gt; Dfsrmig /setglobalstate 1 Current DFSR global state: 'Start' New DFSR global state: 'Prepared' All domain controllers have migrated successfully to the Global state ('Prepared'). Migration has reached a consistent state on all domain controllers. Succeeded. PS C:\Windows\system32&gt; Dfsrmig /setglobalstate 2 Current DFSR global state: 'Prepared' New DFSR global state: 'Redirected' Migration will proceed to 'Redirected' state. The SYSVOL share will be changed to SYSVOL_DFSR folder, which is replicated using DFSR. Succeeded. PS C:\Windows\system32&gt; Dfsrmig /getmigrationstate All domain controllers have migrated successfully to the Global state ('Redirected'). Migration has reached a consistent state on all domain controllers. Succeeded. PS C:\Windows\system32&gt; Get-WmiObject -Namespace "root\MicrosoftDFS" -Class DfsrReplicatedFolderInfo | Select-Object ReplicatedFolderName, ReplicationGroupName, State&nbsp; ReplicatedFolderName ReplicationGroupName State -------------------- -------------------- ----- SYSVOL Share &nbsp; &nbsp; &nbsp; &nbsp; Domain System Volume &nbsp; &nbsp; 4 so everything is good .. all i have to do now is Dfsrmig /setglobalstate 3 and wait for it to finish .. hopefully without error.. MYQUERY ..is i forgot we use DSF managment to share folders out .. approx 15 namespaces.. By completing this migration... Should I expect any issues or before i run step setglobalstate 3 &nbsp;.. is there something i should do first ??? thanks for all help in advance!!! 
</div>

Trinitas Regional Medical Center

<div>
So I ran the Dfsrmig /setglobalstate 3 and PS C:\Windows\system32&gt; Dfsrmig /getmigrationstate All domain controllers have migrated successfully to the Global state ('Eliminated'). Migration has reached a consistent state on all domain controllers. Succeeded. the sysvol folder on the cdrive is now gone and C:\Windows\SYSVOL_DFSR is there in its place on allcontrollers.. also the current share is still sysvol... i am gusing that doesnt change... At this point i am guessing that i am good to go.. on to other things...and i want to say thanks 
</div>

<div>
<div class="content wysiwyg-content fr-view">
I have a 2008r2 functional domain and I have all 2012 r2 domain controllers. I cant seem to find out what the real ramifications are for raising the functional levels to 2012 from 2008 r2. I read that ntlm is no longer used. Is that true and what issues does that bring. I am running a 2010/2016 hybrid exchange converting to 365. Until now I really didn't have anyone to ask these questions to. So can you help ? &nbsp;
</div>
</div>


I have a 2008r2 functional domain and I have all 2012 r2 domain controllers. I cant seem to find out what the real ramifications are for raising the functional levels to 2012 from 2008 r2.
I read that ntlm is no longer used. Is that true and what issues does that bring. I am running a 2010/2016 hybrid exchange converting to 365. Until now I really didn't have anyone to ask these questions to. So can you help ?  

issues to be considered raising functional lever from2008r2 to 2012

Windows Server 2012 is the server version of Windows 8 and the successor to Windows Server 2008 R2. Windows Server 2012 is the first version of Windows Server to have no support for Itanium-based computers since Windows NT 4.0. Windows Server 2012, now in its second release (Windows Server 2012 Release 2) includes Foundation, Essentials, Standard and Datacenter, and does not support IA-32 or IA-64 processors.

Windows Server 2012

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Active Directory

Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.