My notes, things I have learned, and documentation I have created.

Initially, I tried to bring a Windows 2012 R2 into the 2003 ADS environment directly. In other words, I installed 2012 server and tried to promote it in an environment with 2003 DCs exclusively. This failed miserably and instead of spending a lot of time trying to figure the issue out, I opted to go to 2008 R2 and then 2012 R2. This scenario went much smoother.

This was a single Windows 2003 domain. Very simple environment. All role installation and promotion was done from the domain Administrator account.

I built a Windows 2008 R2 server and joined it to the domain.

Then, I added the Active Directory Domain Services role, and let the wizard install the DNS Server role as well.

Once the roles were installed and server rebooted, if needed, I verified the time and that DNS was set correctly.

Then, I ran dcpromo.

When dcpromo was finished, I rebooted and logged in the domain Administrator account.

Then, I transferred all the FSMO roles to the new Windows 2008 R2 domain controller (see http://jim-zimmerman.com/?p=880 ).

I built and joined a Windows 2012 R2 server to the domain.

I added the Active Directory Domain Service role, and again let the wizard install the DNS Server role.

Once the roles were installed, and I verified the DNS and time, I ran the dcpromo equivalent in Windows 2012 R2. I clicked on the flag with the warning symbol in the top right of the Server Manager window. In the drop down, under the Active Directory Domain Services role, was a link to promote the server. I clicked on it to start the promotion. Note: dcpromo is not supported in 2012. When you try to run it, you get a message telling you to go to Server Manager.
dcpromo equiv from server manager make sure to select the 2008 server to replicate from.

After the server rebooted, I transferred all the roles, in a similar manner as above, to my Windows 2012 R2 server.

Once that was done, I verified replication and authenticated to the 2012 server from a client.

Then, I shutdown my 2003 domain controller.

In a week or maybe two, I will boot the 2003 server and demote it. I don’t want to demote right away in case something goes wrong or comes up.
demote 2003 box or shutdown for a while.

Then, I will demote the 2008 server as well. If there were more than one domain controller in this environment, I would keep the 2008 server up until all the domain controllers were replaced with upgraded ones.

UPDATE: So, I demoted the 2003 server after checking to make sure all the roles were on the 2012 server, and ensuring that the Global Catalog was on the 2012 server too. To demote, I just ran dcpromo.

Then, a couple days later, I went through the same process on my 2008 server. I ended with only one domain controller which is a Windows 2012 R2 server.

More old notes:

These are the steps I used to create a one way trust between a Windows 2008 R2 server domain and a Windows 2003 server domain. The object was to give the Windows 2008 domain environment (DomainA.com) access to the Windows 2003 domain environment (DomainB.com), but DomainB.com would have no access to the DomainA.com domain. This process can be very confusing and difficult to keep straight in your head, but I am certain that these steps worked in the environments I described above.

Windows 2008 –> Windows 2003.
From DomainA.com (Windows 2008):
Bring up “Active Directory Domains and Trusts”
Right mouse click on DomainB.com and go to Properties.
Click on the Trusts tab.
Click “New Trust”
Next
Trust Name: DomainB.com
Forest trust
One-way: incoming
This domain only
Trust Password
Next
Next
No,do not confirm the incoming trust.

From DomainB.com (Windows 2003):
Bring up “Active Directory Domains and Trusts”
Right mouse click on DomainB.com and go to Properties.
Click on the Trusts tab.
New Trust
Next
Trust Type: Forest trust
One-way: outgoing
Sides of Trust: This domain only
Forest-wide authentication
Trust Password
Next
NExt
Confirm Outgoing Trust: Yes, confirm the outgoing trust.

Then, to grant authentication permission:
From the Active Directory Users and Computers on the DomainB.com server:
Click View and Advanced Features.
Right click on Domain Controllers and go to Properties.
Then click on the Security tab.
Click Add…
Click Locations…
Select the DomainA.com from the list and click Ok.
Then enter under “Enter the object names to select” the user/group that you want to grant access to DomainB.com from a DomainA.com account. In my case, I just chose Domain Users.
From here I am prompted for DomainA.com credentials which I enter. This can be an issue that I need figure out, because what if I have no credentials in DomainA.com? It does seems that I shouldn’t need any in this configuration. In my case, this allowed a DomainA.com login the capability to login to DomainB.com computer and access resources on DomainA.com and DomainB.com as permitted. However, because it is a one way trust, DomainB.com cannot access resources on DomainA.com.

Ran into an interesting issue when accessing a Windows 2003 domain controller from a Windows 2008 server via a gigabit interface connected to gigabit switch.

I was trying to access a Windows 2003 domain controller (HP BL460c) attached to a 1000Mb switch (Cisco 2960) from a Windows 2008 blade server (BL460c) connected to the same 1000Mb switch (Cisco 2960). Performance was terrible. I was having trouble accessing shares on the 2003 DC and the Network Policy Server was not responding to authentication requests when the server had a secure channel to this DC. However, when I had a secure channel to another Windows 2003 DC (HP DL380) connected to a 100Mb switch (Cisco 3550), I had no problems. The solution was to simply install the QoS Packet Scheduler for the Windows 2003 DC (BL460c). This took care of the issue.

To demote a Windows 2003 Active Directory from a domain controller to a member server, perform the following from the domain controller you wish to demote:

1) Go to Start/Administrative Tools/Active Directory Users and Computers.

2) Right mouse click on the domain, and click on “Connect to Domain Controller.”

3) Choose the domain controller that you want to demote. Note: The one you should be logged into.

4) Now issue the dcpromo command to remove Active Directory and demote the server.