Kerberos error on windows 2016 dc
Posted by Kanolm@reddit | sysadmin | View on Reddit | 18 comments
Hello everyone,
I'm having an issue with my Active Directory. We have two Windows Server 2025 domain controllers and one Windows Server 2016 domain controller. NTLM authentications work perfectly on all three, but Kerberos authentications do not.
When a Kerberos pre-authentication attempt is made on the 2016 domain controller, Ex0 errors occur, and the authentication falls back to NTLM. If I shut down the 2016 server and the authentication is handled by the two 2025 domain controllers, there are no errors.
For accounts that are part of the "Protected Users" group, the authentication is therefore directly rejected. The former sysadmin kept the 2016 server for some older applications.
Does this ring a bell for anyone?
GoatFarmer915@reddit
I'm assuming this is ongoing? I've got a 2025 and a 2019... same exact issue. The CMD recommended in this article has got me by for now. I have yet to revisit a workstation I've ran the fix on. https://old.reddit.com/r/activedirectory/comments/1lltdk1/rc4_issues/n04qpes/
Kanolm@reddit (OP)
We will try to isolate the old DC to another site and lan just for old applications. Then users and computers try to authenticate on 2025 DC it works properly.
technut2020@reddit
DM me maybe I can try to help you with this fellow i.t. pro.
technut2020@reddit
You have 2 DCs that are 2025. What else runs on the DC? Dhcp? Print server? You can migrate that over to another DC. Is this in an on prem hyper-v cluster?
picklednull@reddit
Sounds like you’re hitting my good ole pal this bug.
The System log on the 2016 DC should have Kerberos key errors in that case.
You’ll have to get rid of the 2016 DC or go very unsupported and block Exchange from using the 2016 DC via local outbound firewall block rules, been there done that…
disclosure5@reddit
It's beyond absurd that we call this a "known issue" but Microsoft have an official "known issues" document and it's not even mentioned.
Kanolm@reddit (OP)
Oh looks like my error. Account still works with 2025 DC but not with 2016 DC and ntlm still work.
Do you think I can just isolate 2016 DC for legacy application?
picklednull@reddit
Not really - depends on the applications (what protocols they use).
There's no supported way of forcing Windows clients to not use a specific DC. A creative way to do it is to create a firewall block rule for outbound traffic, but you would need it on every client except the ones hosting the legacy apps.
Kanolm@reddit (OP)
And thanks a lot for this answer!
Kanolm@reddit (OP)
Maybe a specific vlan with firewall rules and this DC as dns. I will see... Hop this DC is useless and legacy app can use 2025.
ScreamingVoid14@reddit
My off the cuff answer would be to do something with the AD sites and create a new "site" with the old DC and the legacy applications there. That should make the legacy apps prefer the legacy DC and the non-legacy hardware prefer the newer DCs.
But really given 2016's limited support future, make plans to update that OS ASAP.
Kanolm@reddit (OP)
And server don't loose their trust relationship.
Cormacolinde@reddit
Known issues with 2025 domain controllers, it is not recommended right now.
If you go to all 2025 and get rid of the 2016 it might fix the issues. You may have to reset the KRBTGT password also.
You could also try to stop the kdc service on the 2016, so that only the 2025 give out tickets, while keeping the 2016 up for other stuff, but you may still have issues.
Stonewalled9999@reddit
A less annoying fix would be spin up 2 2022 DCs and decon the 2 2025. That is what I had to do at customers.
Kanolm@reddit (OP)
And you don't need to reset every password like the other post says?
Stonewalled9999@reddit
Well.....for the clients I had we did not. I cannot promise the same for you as I don't know your environment.. I can say the 2025 DCs were there for 2-3 months before I ripped them out.
joeykins82@reddit
When's the last time you patched the 2016 DC? To me this is screaming that the various Kerberos hardening and behaviour changes which have been introduced since 2016 are not applied and so your 2016 DC is essentially incompatible with 2025.
Make sure that the
SystemDefaultTlsVersionsregistry setting has been configured, that you're running .net 4.7.2 or 4.8, and then manually download the latest servicing stack and cumulative update packages for WinSvr2016 and install them.Kanolm@reddit (OP)
It is patched every month. Last patch was 08-2025.