Forum Discussion

Ted_Mittelstaedt's avatar
Ted_Mittelstaedt
Brass Contributor
May 09, 2022

Any potential problems with mixed OS versions for Active Directory PDC?

Hi All,   Just wanted to get people's opinions on the following:   I have a customer with multiple sites, and 3 domain controllers.  They also have a Microsoft volume license account so licensing...
Active Directory
Windows Server
Harm_Veenstra's avatar
Harm_Veenstra
MVP
May 09, 2022
You can mix different versions of operating systems across the Domain Controllers, the only thing important is the Domain and Forest function level. See this article about supported operating systems when running a 2008 level domain/forest: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels#windows-server-2008-functional-levels. Things start to change at 2016 level because of DFS-R requirement https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels#windows-server-2016-functional-levels
  • b-art's avatar
    b-art
    Copper Contributor
    Apr 28, 2023

    Harm_VeenstraThat is not all.
    Standard in Windows is that if an AD server is on the newest (younger than the youngest) OS all traffic with authentication will go that way.
    So best practice: AD servers should always be installed as a single service on a server.
    (Not combine it with anything else)
    Second be aware that when using multiple domains this can become an issue when communication between DC servers goes over a firewall!
    So if you install a new AD server always check network traffic first!
    And replace all AD servers beginning with the Primary AD as soon as possible.
    Always install latest OS with compatible latest AD.

    • JTrupp512's avatar
      JTrupp512
      Copper Contributor
      Nov 28, 2023

      We have experienced issues with Windows Server 2019 when all DCs in our environment were not on the same CU. With one Server on CU 2023-11 and the rest still on 2023-10, we began seeing these errors and unexpected Server reboots impacting all DCs in our environment:

       

      Log Name: System

      Source: User32

      Date: 11/20/2023 4:32:19 PM

      Event ID: 1074

      Task Category: None

      Level: Information

      Keywords: Classic

      User: SYSTEM

      Computer: [redacted]

      Description: The process wininit.exe has initiated the restart of computer [redacted] on behalf of user for the following reason: No title for this reason could be found

      Reason Code: 0x50006

      Shutdown Type: restart

      Comment: The system process 'C:\windows\system32\lsass.exe' terminated unexpectedly with status code -1073740791. The system will now shut down and restart.

       

      This behavior was not stopped until all DCs were upgraded to the CU 2023-11.

  • Ted_Mittelstaedt's avatar
    Ted_Mittelstaedt
    Brass Contributor
    May 10, 2022
    Both Domain and Forest level are at 2008R2 on this domain. However they are still all using FSR for replication of SYSVOL so thank you for that tip. I will need to run a migration to DFSR first on the existing DCs since Server 2019 does not support FSR.
    • LainRobertson's avatar
      LainRobertson
      Silver Contributor
      May 10, 2022

      Ted_Mittelstaedt 

       

      Just to be clear here, there is categorically no issue with running domain controllers built on differing operating systems beyond the single requirement around migrating from FRS to DFS-R, as Harm_Veenstra already noted.

       

      The functional level supportability matrices can be found in the following article (though I suspect you've already seen this.) Once you migrate from FRS to DFS-R, which you can (and should) do using your existing infrastructure, you can jump directly to Windows Server 2022.

       

      Active Directory Domain Services Functional Levels in Windows Server | Microsoft Docs

       

      Nothing is automatically triggered with respect to new functionality simply by using a newer operating system. The most you'll find (beyond your DFS-R task) are some cryptographic suite changes - which have taken place across all platforms purely as a generational exercise and have nothing specifically to do with domain controllers or the functional levels. And 2008 R2 isn't so old that it doesn't share a good portion of these suites meaning you will not run into issues on this front (unless someone's badly customised the existing suites via GPO - which is a very, very long shot.)

       

      As noted in that article (as one example of many), there has been no new functional levels (domain or forest) since 2016. There's been a couple of Azure-centred schema extensions but that's not the same thing, and there's quite literally zero value in discussing those here. The point is, there is no such things as Server 2022 functional levels.

       

      Stick to what you've already discovered and what Harm has added, and you'll be fine:

       

      1. Migrate from FRS to DFS-R first;
      2. Make sure that completes successfully and that you have no other replication issues;
      3. Add/replace (steer clear of in-place upgrades though) the old domain controllers with Windows Server 2022 if you can, or 2019 if you have a really good reason for doing so (i.e. throwing away mainstream support duration and having to go through this whole exercise a few years sooner);
      4. Once they're all on Server 2022, consider raising your functional levels.

       

      Cheers,

      Lain

      • Alban1999's avatar
        Alban1999
        Iron Contributor
        May 10, 2022
        If you don't want to break everything you need to double check Exchange on-premises requirements - usually install the latest CU to support the latest OS, which can be a tedious process, especially if those Exchange servers are updated once in a blue moon.
        Which is why it seems better imho to migrate to an Exchange-friendly OS first (2016) before making the next jump to 2019/2022 right away.
    • Harm_Veenstra's avatar
      Harm_Veenstra
      MVP
      May 10, 2022
      No problem, good luck and please mark my answer as solution to mark it as solved

Resources