There are two ways to see which Certificate Authority servers exist in your AD domain.
The AD group Cert Publishers contain the servers that are permitted to publish certificates to AD. As a consequence, this gruop will contain all servers that are CAs.
You can use the certutil command to view (and select from) a list of CAs in the current AD domain:
certutil -config - -ping
Note: type the command as-is, including all spaces and hyphens.
A window will appear, listing the CA name and the server it runs on.
When attempting to log on with a domain account on a computer joined to a domain that has both 2012R2 and 2003 domain controllers, you may encounter the following error:
Additionally, an Event ID 4 on Source: Kerberos is logged. You can only log on using local accounts.
Mixed 2012R2 and 2003 AD environments require hotfix 2989971 to be installed on every 2012R2 DC. See the KB for a full explanation.