@OneTechBeyond
Hi, Robert.
Just to call it out up front and get it out of the way, Windows Server 201 R2 is no longer supported. So, if you're looking to run either Cloud or Connect sync on the actual domain controller, you'd be doing so in an entirely unsupported capacity. This doesn't mean it won't work - not that I can test that, but even if it does and something goes wrong later, you'll get no help from Microsoft with it.
That said, what you can do is use a Windows 2016 (not recommended by Microsoft as it's about to exit extended maintenance) or later member server and install either there.
The fact that the domain and forest functional are - at best - at the 2012 R2 levels is not an issue - as far as I'm aware (though to be fair, I haven't seen current versions of Entry Connect on a Server 2012 R2-era host/domain/forest, either). It's more a question of upon which server version you're trying to install the software.
My preference is still to use Entry Connect rather than Cloud Sync, but check the matrix and decide what works best for you.
While it's in the matrix, one point I'll quickly call out is if you have domain-joined devices (clients and servers) that you're looking to convert into hybrid-joined devices and managed via InTune, that automatically puts you onto the Entra Connect path, as Cloud sync doesn't handle devices.
Neither sync tool can synchronise Azure-native user objects from Azure Active Directory back to on-premise Active Directory, meaning bidirectionality is not an option. This is not to be confused with attribute write-back which is supported (stating the obvious here, but only for user objects that originated from on-premise).
If the existing configuration is working and you have no profoundly compelling reason to mess with it, I'd leave it alone until you do.
That said, if you feel compelled to mess with it anyway, then I'd highly recommend setting up a new side-by-side configuration based on Entry Connect, installed on nothing less than a Windows Server 2019 host (as a member server, given you cannot afford to mess around with the existing 2012 R2 domain controller) and ensure it staging mode is enabled.
Staging mode simple means that the installation will not perform any updates of either Azure Active Directory or on-premise Active Directory, which gives you a safe environment in which to assess the viability of disabling staging mode later on - prefaced by setting the existing Connect installation into staging mode - should everything with the new installation look fine to proceed.
Conversely, if the new installation is a fiasco, because it's in staging mode you can simply uninstall Entra Connect and destroy the Windows Server 2019 virtual machine (I'm assuming you wouldn't be using a physical installation these days).
Cheers,
Lain
