Mixed Server 2012 R2 / Server 2003 Domain Controller Environment & Kerberos Issues

A few months ago, the firm I work for had an issue with one of our implementations of Server 2012 R2. It was our 2nd install of Domain Controllers running this OS, and the environment we installed was experiencing Kerberos errors which caused intermittent login issues on servers and workstations. After much troubleshooting we were stumped, and the workaround of ‘reboot the server/client and you will be able to login again’ wasn’t exactly a satisfactory fix for ourselves or the client. We logged a call with Microsoft, who were also stumped by the problem as we were the first partner to report this. A registry workaround was given to us which solved the clients woes temporarily, but now a hotfix is available! We have successfully deployed this hotfix and it has cured the problem.

I won’t write a huge spiel about this problem as Microsoft have already done this for me, but if you are experiencing login issues on Windows 7, Server 2008 R2 and/or Server 2012 R2 and you have recently deployed 2012 R2 Domain Controllers in a 2003 domain environment, you may be suffering from this issue. Look in your DCs event logs for the following event:

Event ID: 4
Source: Kerberos
Type: Error
“The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/myserver.domain.com.  This indicates that the password used to encrypt the Kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (domain.com), and the client realm.   Please contact your system administrator.”

Please follow this link to read more about the problem and to download the hotfix:

http://blogs.technet.com/b/askds/archive/2014/07/23/it-turns-out-that-weird-things-can-happen-when-you-mix-windows-server-2003-and-windows-server-2012-r2-domain-controllers.aspx

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s