Problems with Password Sync Between 2016 and 2025 Domain Controllers

By
William Rossbach
-
0
2
Asked By TechSavvy42 On

I've got two domain controllers running Windows Server 2016 at one location and another running Windows Server 2025 at a different location. Lately, I've been facing some issues with invalid passwords across these sites. For example, I set up a test user and logged in on the 2016 DC, then tried switching to the 2025 DC, but it threw an incorrect password error. Restarting the computer helped, but when I reverted back to the 2016 DC, I could log in without any issues, even after several attempts. The only way I got it to work was through resetting the machine password. I suspect that the problem could be related to encryption since I know our 2016 DCs still use DES encryption. I don't encounter any time issues with the 2025 DC, so I'm puzzled about what's causing this. Does anyone have insights on interpreting the supplemental credentials or how the encryption settings play into this?

3 Answers

Answered By NetworkNinja77 On

Have you looked into the machine password expiration settings? If your 2016 machines are set to change passwords at a different interval than your 2025 DC, it could create sync issues. Disabling password changes temporarily could be a stopgap until you figure this out. Ultimately, ensuring uniformity in the encryption methods across your domain controllers could solve most of these headaches!

Answered By AdminWiz54 On

You might also want to check the time synchronization across your network. Kerberos is sensitive to time discrepancies, so if there’s a lag between the two sites, it could lead to authentication failures. Make sure all machines are syncing with a reliable time source to help alleviate some of these issues.

Answered By ServerGuru88 On

It sounds like you might be running into issues with Kerberos ticketing and the differing encryption methods used by the two domain controllers. Since the 2016 DCs are using DES, this can lead to problems when users switch to the 2025 DC that supports more current encryption like AES. Restarting the computer likely forces a refresh of the credentials, which explains why that temporarily resolved your login issue. You may want to consider updating your 2016 DCs to support AES instead of DES to avoid those pitfalls. It's definitely a headache, but it’s a common issue when mixing different versions.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.