Last Updated on September 6, 2015 by Dishan M. Francis

Well, it’s been few month since Microsoft ended windows server 2003 support. I have written many articles about it and also provided step-by-step guides explaining how to migrate server roles in to newer versions of active directory services.

Even its not supported there are lot of companies (oh well unfortunately some well-known global companies) still uses active directory services running on windows server 2003 environment. This is common issue with large distributed network setup as those are too complex to go via upgrade process. Even for small networks, engineers afraid that it will “break” something with the upgrade. I had lot of emails from students, engineers asking me same thing.

Microsoft already think about this and make it easier for you on active directory upgrades with its interoperability capabilities with earlier versions of active directory. So introducing windows 2012 R2 active directory server in to your active directory 2003 environment doesn’t means you should upgrade its forest and domain functional levels right away. If your domain is running with windows 2003 server or higher functional level, you still can install an AD with windows server 2012 r2 in same network. But obviously you will not be able to get windows 2012 r2 domain features until you upgrade domain functional level. You do not need to do it until last windows 2003 AD in your domain is decommissioned. Forest functional level also depend on the domain functional level. You can’t upgrade forest functional level before domain functional level upgrade. Until that you need to consider about,

1)    FSMO roles transferred in the new AD server
2)    Get legacy applications upgraded /fixed to support new AD versions if they only support for windows server 2003 AD environment( Forest, domain functional levels)
3)    Transfer roles running on windows server 2003 AD servers such as DNS, DHCP, CA etc.

Here is list of new features you will get from the windows server 2012 R2 domain functional level according to

•    Group Managed service accounts which can use for managing multiple servers, pcs.
•    Key Distribution Center (KDC) support for claims, compound authentication, and Kerberos armoring.
•    DC-side protections for Protected Users. Protected Users authenticating to a Windows Server 2012 R2 domain can no longer:
     1)    Authenticate with NTLM authentication
     2)    Use DES or RC4 cipher suites in Kerberos pre-authentication
     3)    Be delegated with unconstrained or constrained delegation
     4)    Renew user tickets (TGTs) beyond the initial 4 hour lifetime
•    New forest-based Active Directory policies which can be applied to accounts in Windows Server 2012 R2 domains to control which hosts an account can sign-on from and apply access control conditions for authentication to services running as an account.
•    Authentication Policy Silos – New forest-based Active Directory object, which can create a relationship between user, managed service and computer, accounts to be used to classify accounts for authentication policies or for authentication isolation.

So don’t be late, introduce your first windows server 2012 r2 dc in to your windows 2003 environment.

If you have any question about the post feel free to contact me on