I'm in the process of upgrading my environment from Windows Server 2012R2 to 2022. Most of the member servers are already migrated, but I have some concerns regarding changes to Kerberos on the domain controllers. I've heard that older systems might face authentication issues, and I don't want to run into any problems during this transition. I think I came across references to CVE-2025-26647 and CVE-2022-37967, but I can't recall the specifics. I'm hesitant to deploy 2022 DCs with the latest updates if it could impact the remaining 2012R2 servers. Can anyone clarify this situation for me?
4 Answers
You'll be good to go! The real concern is the jump to 2025 for the DC OS, which can cause issues if you don't manage it carefully. You can keep your functional level lower for now if it helps.
Is it really the OS version that's the issue, rather than the domain functional level?
Just go ahead and install the 2022 servers, but avoid updating them beyond the last patch level of your 2012R2 servers for now. Migrate your Active Directory, and once that's done, fully patch the 2022 servers. Remember, it's not only Kerberos; DCOM changes could also create issues.
Make sure you test everything before fully migrating. I encountered some weird behaviors during my upgrade.
I migrated from 2012R2 to 2025 without any hiccups. If you're worried, consider setting up a 2016 or 2019 server as a middle step while you transition from 2012R2.
Got it! I’m definitely not pushing for 2025 just yet. Thanks for the heads-up!