Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-4623: Centrify Best Practice for upgrading Windows 2003R2 to Windows 2012R2

Authentication Service ,  

21 December,15 at 06:47 PM


What is the best practice when performing upgrade on AD schema from Windows 2003R2 to Windows 2012R2?  



In Windows Server 2003, AES was not supported.  Windows Server 2008 and above introduced a new encryption type, AES, that can be used when Active Directory is running at Domain Controller Functional Level 2008 or 2012.  Centrify DirectControl 4.0.0 is not compatible with Windows 2012.  An upgrade for Centrify DirectControl running version 4.0.0 is needed.  Our latest version for Centrify DirectControl is suite 2014 (5.1.3).


1.  Upgrade AD schema

2.  Upgrade Centrify DirectControl (a live upgrade can be done, after downloading the latest package, run the script "")

3.  On adclient, run as root to update keytab adding AES entries
# adkeytab –r -m  

4.  On the adclient, a restart is needed to cope with encryption type and computer password hash changes
# /usr/share/centrifydc/bin/centrifydc restart