2003 domain with 2012 R2 schema - but upgrading to 2008 R2


  • We planned and tested a migration from 2003 to 2012 R2, but unfortunately we hit the issue documented here despite being fully patched.  It was fine in the test environment but not in production.

    In the hopes of circumventing this issue we have decided to upgrade to 2008 R2 and then 2012 R2.  After demoting the 2012 R2 server we are left with a 2003 domain with a 2012 R2 schema.

    I understand that schemas are backwards compatible, so can I simply skip 2008's adprep and crack on as usual?

    Wednesday, June 13, 2018 4:03 PM


All replies

  • Correct, you should not have issues.

    What you could do is to:

    1. Move to 2008 R2 DC's

    2. "depromote" 2003 DC's

    3. Raise Domain Functional Level to 2008 R2

    4. Migrate NTFrs to DFSR (SYSVOL replication) -->

    5. Promote your 2012 R2 DC's

    6. "depromote" 2008 R2 DC's

    7. Raise Domain Functional Level to 2012 R2

    8. Raise Forest Functional Level to 2012 R2

    9. Enable AD Recycle Bin (it's a nice to have)


    This posting is provided AS IS without warranty of any kind

    • Proposed as answer by Dave PatrickMVP Wednesday, June 13, 2018 11:17 PM
    • Marked as answer by Grenage Thursday, June 14, 2018 8:21 AM
    Wednesday, June 13, 2018 4:27 PM
  • AD Recycle bin can be enabled right after raising the domain level to 2008 R2
    Wednesday, June 13, 2018 10:14 PM
  • Ad Recycle Bin is a Forest option.  So the Forest must be at Windows 2008 R2 at least to enable it.

    This posting is provided AS IS without warranty of any kind

    Wednesday, June 13, 2018 10:32 PM
  • Wonderful, thank you; is there a reason not to bring the forest up to 2008 after the domain?  I've only ever done them at the same time.

    I am guessing it's not a requirement simply because it will be going up to 2012 very shortly.

    Thursday, June 14, 2018 8:10 AM
  • You could, no problem. I only gave you a migration path but you can raise the Forest Functional Level to 2008 as soon as your Domain Functional Level is set to Windows 2008.

    This posting is provided AS IS without warranty of any kind

    Thursday, June 14, 2018 9:25 AM
  • It was just out of curiosity; time to read up on the FRS to DFS migration, thanks again!
    Thursday, June 14, 2018 9:43 AM
  • As a follow up to this, I promoted a 2008 R2 server and it synchronised AD no problem.  That said, we have a curious issue with computer accounts.

    When Windows 8/10 workstation restarts and a user tries to log in, they receive the "The security database on the server does not have a computer account for this workstation trust relationship" message after entering their credentials.

    This only happens if the machine connected to the new DC (verified by using netdom verify <workstation>.  We have had no issues with user authentication once users have connected using the old DCs.  I checked that the machines existed in AD on the new DC, and the SPN/name information looks ok.  There are no error messages on workstations nor DC.

    I backed up and restored the new DC to a test environment without the two old DCs, and a workstation had no complaints logging on.

    Part of me thinks that adding a new DC and then raising the domain level and demoting the old servers would probably be ok, but I am reluctant to proceed without identifying the issue.  Scouring the internet has revealed little, so I thought I'd ask here on the off chance someone else has experienced the issue.

    (oops regarding the other thread, I thought I'd posted this in another forum, so sorry for the duplication).

    • Edited by Grenage Monday, July 23, 2018 3:57 PM
    Monday, July 23, 2018 3:09 PM