Upgrading AD domain and forest functional levels - legacy client compatibility

Question

Hi,
I work for a large healthcare provider. We have 2012 DCs running at 2003 domain forest and functional levels. We have around 60 NT4 and Windows 2000 servers. When we removed the last 2003 DC, a couple of critical services broke on the legacy operating systems. We've put workarounds in place for the legacy services and lowered the default domain security setting. We're now looking at upgrading the domain and forest functional levels 2012, but have some concerns that doings so will break additional services, particularly around .NET apps.

The below indicates that NT4 and 2000 servers are not compatible with 2008+ higher level functional levels:

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee522994(v=ws.10)?redirectedfrom=MSDN#BKMK_OSInterop

Can someone provide some real world insight into:

• Whether upgrading AD forest and functional levels to 2012, will this have an impact on 2003 servers?
  • At a base level, would they be able to logon OK?
  • Would apps work as normal?
  • Would we need to lower any security settings to accommodate 2003 servers?
• Later we’d like to upgrade to Windows 2016 forest and functional levels, would we have backwards compatibility issues with 2003, 2008 and 2012 servers?
  -Is the upgrade to Windows 2016 challenging in terms of prerequisites and potential catches?

I'm well aware 2003 is not supported, what I'm after is whether anyone has experience of running 160+ 2003 servers at 2012 domain functional levels in an enterprise environment (i.e. 1000 servers+)

Thanks in advance,

Answer 1

2003 member servers in a 2012 or 2016 domain should not be a problem.

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels

The prerequisite before introducing the first 2016 domain controller: domain functional level needs to be 2003 or higher

The two prerequisites to introducing the first 2019 domain controller are that domain functional level needs to be 2008 or higher and older sysvol FRS replication needs to have been migrated to DFSR
https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Streamlined-Migration-of-FRS-to-DFSR-SYSVOL/ba-p/425405

--please don't forget to Accept as answer if the reply is helpful--

Answer 2

Hi,
Looking at the below, there may be some issues:
GPO
https://community.spiceworks.com/topic/276182-windows-2012-functional-level-client-compatibility

Note the break in the .NET application
https://learn.microsoft.com/en-us/archive/blogs/askds/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level

Does Ms specifically state that 2003 member servers are compatible with 2012 domain and forest functional levels?

Reading between the lines, it seems that the stance is that 2003 server OS works on 2012, but if you're worried about applications, then test...

Answer 3

Yes, 2003 servers were compatible with 2012 (2016 as well) DFL, but since 2003 is no longer a supported OS the documents have likely been removed. As to .Net applications I'd take this one up with the developer, or if you are the developer then try asking for help somewhere on MSDN, possibly over here.

https://social.msdn.microsoft.com/Forums/en-US/home?category=netdevelopment

--please don't forget to Accept as answer if the reply is helpful--

Answer 4

Hi,
 
Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.
 
Best Regards,
Vicky

Answer 5

Hi,
 
Just want to confirm the current situations.
 
Please feel free to let us know if you need further assistance.
 
Best Regards,
Vicky