Hey folks! I'm running into a problem with my Active Directory setup. We've got two Windows Server 2025 domain controllers and one Windows Server 2016 DC. NTLM authentications work flawlessly across all servers, but there's a major hiccup with Kerberos. Whenever a Kerberos pre-authentication is attempted on the 2016 DC, it throws Ex0 errors, and authentication just falls back to NTLM. If I turn off the 2016 server, the two 2025 controllers work perfectly without any issues. However, accounts in the 'Protected Users' group face direct rejections in this scenario. The previous sysadmin had the 2016 server running for some legacy applications. Has anyone experienced this issue before?
2 Answers
First off, make sure your 2016 DC is fully patched. It's possible the Kerberos hardening changes since 2016 aren't applied, making it incompatible with the 2025 DCs. You might want to check the `SystemDefaultTlsVersions` in the registry, and ensure you’re running .NET version 4.7.2 or 4.8. It could also help to manually install the latest servicing stack and cumulative updates for Windows Server 2016.
It sounds like you might be experiencing a known bug. Check the System event log on the 2016 DC for any Kerberos key errors. You could consider isolating the 2016 DC or possibly blocking Exchange from using it with firewall rules, but keep in mind that this method is quite unsupported. I've found myself in similar situations before, dealing with legacy setups.
Got it! If it’s still functional with the 2025 DC, can I just keep the 2016 isolated for those older applications?