Any gotchas introducing a 2025 domain controller in a domain with mixed DCs (2016, 2019, 2022)?
Posted by Man-e-questions@reddit | sysadmin | View on Reddit | 50 comments
We still have member servers that are 2012 and 2012r2, but all DCs and most servers are 2016,2019, and 2022. Wanted to make sure there are no gotchas introducing a 2025 DC.
Cormacolinde@reddit
Don’t do it. Just don’t deploy a 2025 domain controller. If you do, you need to migrate all of them and have just 2025 DCs and hope Microsoft doesn’t break it anymore.
MisterBazz@reddit
Honestly this. You should migrate all DCs to 2025 and then elevate AD functional level to 2025.
NiiWiiCamo@reddit
Not sure if it is still the case, but is a 2025 DC in itself stable by now? I remember there being issues for the first few months even in a green field deployment...
MisterBazz@reddit
Yes, and it has a DISA STIG available.
Deodedros@reddit
Im gonna watch this post . I got some new servers that are 2025 and replacing old 2012r2 DCs. I think im over my head for that project lmao
walrusanon@reddit
The biggest gotcha with a 2025 DC is the April 2026 update breaking it AND also failing on Dell equipment.
There is a hotfixed version now though.
Not impressed with Server 2025. Seems unfinished.
FriskyDuck@reddit
I read domain machine password changes were broken for AD2025 mixed environments. Was it ever resolved? I couldn’t find any fixes.
picklednull@reddit
It was fixed last December.
FriskyDuck@reddit
I can't find anything listed here: https://learn.microsoft.com/en-us/windows/release-health/resolved-issues-windows-server-2025
YaManMAffers@reddit
LDAPS, Server 2025 required LDAPS so make sure your local CA is pusing at least SHA256 certs, so you can import the Server 2025 certs to applications for LDAPS. We JUST overcame this hurdle.
hkeycurrentuser@reddit
Are you running any legacy MS Exchange components? If so, then no, hard ceiling of 2022 until you've got rid of that debt. As others have said, focus on getting ALL DC's to the same level first. 2022 sounds like a good base level.
Man-e-questions@reddit (OP)
Yes have Exchange on prem for some legacy apps and printers
hkeycurrentuser@reddit
When you replace all your old DC's build the new ones as Core. Just leave one full GUI server as a just in case (although even then, not really needed)
willdeleteacct1year@reddit
windows core is dogshit now that you cannot flip back and fourth between core and gui.
I tried it and it caused so many issues it was just not worth the minimal extra resources required. If you are worried about security just block RDP, etc.
picklednull@reddit
No it’s not. I have 10 years experience running it for every role that’s compatible and I never encountered an issue I couldn’t solve. Also, I never had the need to add GUI.
menace323@reddit
Core with the app compatibility pack is awesome. Just wish it had certificate management mmcs.
I think the issue was is that you didn’t know how to use it.
ifpfi@reddit
We have been running a mixed 2016, 2022, and 2025 for a little over a month now without any problems (you must install the February update for it to work). We also tested it in a lab environment for a month before hand and confirmed that machine account passwords were updating as expected.
Just be advised that we were already using LDAPS and NTLMv1 was blocked a long time ago in our environment. Do not even install Server 2025 without that February update.
publicdomainadmin@reddit
FRS -> DFSR migration if you're not already at state 3, and NTLMv1 blocked by default on 2025, both will bite you with a mixed environment. Everything else is pretty smooth if AD replication is healthy going in.
Man-e-questions@reddit (OP)
Yes on DFSR. As fir NTLMv1, great question as we have lots of legacy apps
publicdomainadmin@reddit
Enable NTLM auditing GPO (audit only, blocks nothing) and watch Event ID 4624, Package Name field will say NTLM V1 for the offenders. Run it for a week before touching anything.
Man-e-questions@reddit (OP)
Excellent thank you so much!
PanicAdmin@reddit
This.
I had a production line blocked after some colleagues changed a dc.
joeykins82@reddit
NTLMv2 was introduced with NT4 SP4, there is absolutely no excuse to do anything other than block it.
If your domain has existed since Win2k it’s possible that your GPOs are forcing acceptance, in which case the remediation pathway is to immediately set LMCompatibilityLevel policy to 4 (as client only use NTLMv2; as server accept NTLMv1 but block LM), wait a few weeks, and bump up to 5 (deny inbound NTLMv1 as well).
Ok_SysAdmin@reddit
2025 increased the AD database size. This causes issues in a mixed environment. If you add any 2025, replace all the other and migrate all to 2025 that week. Once you have them all on 2025, you will not have issues. Just don't keep a mixed environment.
SuspiciousOpposite@reddit
The DB size change doesn't happen until all DCs are 2025 and functional levels are raised, IIRC. Just putting in a 2025 doesn't cause issues (to the DB size).
Ok_SysAdmin@reddit
I had read the DB on that individual 2025 server would be larger and that caused replication issues because the others were smaller.
Man-e-questions@reddit (OP)
Ok thanks
ranger_dood@reddit
Prepare to break everything.
TheJesusGuy@reddit
2019 and 2022 only. Cheers.
GremlinNZ@reddit
As of early this year, running a mixed environment with 2025 was a nightmare. Ended up removing the 2025 and migrating to 2022.
Weird stuff like, people could log in fine, lock their PC, come back, can't unlock. Reboot, yep, log in fine. This was the common day to day stuff.
If you're going to add a 2025 don't have anything older for any longer than necessary.
topher358@reddit
Don’t do it if you have DCs less than 2025. At least don’t keep them around. Mixed environments are Still broken AFAIK
Man-e-questions@reddit (OP)
Ok thanks, seems to be the consensus, gonna upgrade to 2022
Infamous-Echidna4141@reddit
I always stick to a generation behind because they always break things. I wouldn't consider 2025 until 2028 (assumption) comes out.
KStieers@reddit
That's the safe answer.
PrettyFlyForITguy@reddit
This sub has had a lot of posts on this topic, and its always been some weird issue or another. It seems like only 2022 -> 2025 will work smooth, and in general 2025 has had more bugs.
ohyeahwell@reddit
I just realized I’ve defaulted to asking AI questions like this instead of Reddit
Man-e-questions@reddit (OP)
I did too, but every time i had it redo the answer got different answers each time. All linking to totally different articles
nitroman89@reddit
Literally just ran into this today.
LDAP is disabled by default so anything that still uses LDAP like Macs, Linux servers weren't able to authenticate. We had to disable some LDAP signing until we can migrate everything to use LDAPS.
bbbbbthatsfivebees@reddit
Yup came here to say that. LDAPS is the default now, and is required if you have anything that does password writeback. So if you use an SSO system like Okta, you'll need to set up LDAPS before you even consider it.
I mean, you probably should already have LDAPS, but it's an extra step that some legacy systems don't support.
Man-e-questions@reddit (OP)
Oh interesting, yeah just had a problem with the latest version of Vsphere and Vcenter wanting to use LDAPS by default. We kind of had to work around it but should probably get some real certs on there
InfinityConstruct@reddit
Bring them all to 2022 first.
30yearCurse@reddit
You need to start cleaning up what you have, You have SMB issues, NTLM issues, FRS, Kerberos, issue this, issue that. Get to a point where you can at least upgrade 2016 AD something newer. Get rid of everything 2016 and earlier.
Not sure what industry you are in, but you could be in a world of pain if you get compromised.
Fit_Prize_3245@reddit
Should have no problem, as long as you don't raise the domain or forest functional level.
00001000U@reddit
Yes, dont do it.
BitsNBytes10101@reddit
Yes, don’t do it.
disclosure5@reddit
So, last we heard mixed DCs were broken.
https://www.reddit.com/r/activedirectory/comments/1lltdk1/comment/n04qpes/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button
Every few months this same thread comes up and someone resolves it by removing the mixed DCs from the domain. Microsoft as usual seems to refuse to acknowledge it despite it being apparently gated in a private KIR from months ago.
Man-e-questions@reddit (OP)
Ok great thank you! Will hold off.
joshghz@reddit
Shouldn't be, so long as the domain functional level is at a minimum of 2016.
There was a lot of noise a while back about issues with Server 2025 DCs, but I have no experience with 2025 as a DC, so I can't speak to any of them.
Stonewalled9999@reddit
We had a lot of issues with them at multiple clients I have heard rumors that if you move all of the lower level and stick to 2025 natively all the issues disappear. The problem is I’m not gonna bet any of my clients on that. Should be ok but not worth the risk for me
Man-e-questions@reddit (OP)
Yeah we finally got the forest and domain to 2016 at the beginning of the year in anticipation.