Kerberos Breakage in Mixed AD After Adding Windows Server 2025 DCs

  • Thread Author
Microsoft’s newest server release is already generating painful operational lessons: administrators who add a Windows Server 2025 domain controller into a mixed Active Directory environment containing older DCs can trigger widespread authentication breakage — machine account password rotations fail, domain logons stall, and remediation can require awkward, high‑risk edits or a full DC upgrade to regain stability. The problem surfaced in community reports and a German technical blog post describing real incidents, and traces back to how Kerberos encryption selection and RC4 handling interact across mixed OS generations.

Background / Overview​

Active Directory authentication relies heavily on the Kerberos protocol and on a set of machine and service account keys that are rotated on a regular schedule. Historically Windows environments tolerated a degree of implicit negotiation and legacy fallbacks — most notably the RC4-HMAC cipher — when endpoints and domain controllers had mismatched encryption settings. Since late 2022 and into 2024–2025, Microsoft has hardened Kerberos defaults and introduced behavioral changes that make encryption type selection explicit: domain controllers now honor msDS‑SupportedEncryptionTypes and related registry and domain defaults rather than quietly adding RC4 to preserve compatibility. That hardening improves security but reduces implicit fallbacks, which can surface painful interoperability problems in mixed environments. At the same time, Windows Server 2025 includes additional protocol hardenings and default behavior changes intended to reduce legacy cipher use (including a roadmap to phase out RC4). Those changes were rolled into security updates in 2025 and led to several tracked Active Directory and Kerberos‑related incidents — some of which Microsoft fixed via timely updates, and some of which were visible first in real‑world troubleshooting threads and independent blogs.

What administrators are seeing: symptoms and scope​

The most consistent symptom set reported by administrators in community threads and in a focused blog post is:
  • Machine accounts fail to rotate their computer passwords (the scheduled background password changes that keep secure channels valid stop succeeding).
  • Domain logins fail intermittently or unpredictably across member servers and endpoints; the failures can be server‑specific and move around the estate.
  • Kerberos errors such as Event ID 27 / 21 / 45 / 4771 indicating unsupported encryption types or certificate validation failures are observed in DC system logs.
  • The issue frequently surfaces only after a Windows Server 2025 machine has been added as a domain controller into a forest that still has older DCs. Administrators report a “mixed environment” lock‑in: removing 2025 DCs is disruptive, and leaving them in place breaks client authentication unless the entire DC estate is aligned.
These symptoms were reported by multiple parties and collected into troubleshooting threads; some administrators found temporary relief by manually resetting machine account passwords on affected servers and then wrestling with the underlying Kerberos encryption mismatch. The initial field reports suggested a bug in Windows Server 2025 behavior when negotiating encryption with older DCs, though the operational root cause is tightly coupled to the way encryption types (RC4 vs AES) are configured and honored.

The technical root cause (how Kerberos encryption selection breaks mixed DCs)​

Two related mechanics explain why adding a 2025 DC to a mixed forest can cause the observed failures:
  • Explicit encryption settings are now honored — after recent security hardenings Windows no longer silently “add” RC4 when it would help interoperability. If an account or machine has msDS‑SupportedEncryptionTypes set to a value that allows RC4, and a domain controller or GPO effectively removes RC4 on DCs, the Kerberos KDC behavior can become inconsistent across DCs. That leads to KDC responses that clients and machines can’t use, and to failed password rotations because the KDC refuses the selected encryption type. Microsoft has documented this exact class of interoperability fallout in guidance for administrators preparing for Kerberos protocol changes.
  • Windows Server 2025 started to tighten default RC4 usage — Microsoft has signalled a plan to disable RC4 by default in new deployments and introduced changes that make enforcement stricter. When a 2025 DC is present, its KDC may act differently from older DCs — and if controllers disagree about which encryptions are allowed (or if a GPO globally disallowed RC4 via msDS‑SupportedEncryptionTypes or DefaultDomainSupportedEncTypes), the KDC may choose an encryption type that the client/machine or other DCs cannot process. That mismatch manifests as machine password reset failures and intermittent logons.
A particularly painful real‑world variant is when a GPO or administrative change globally disables RC4 (for example, by setting a domain or specific accounts to an AES‑only mask). In some reported cases the change produced domain‑wide authentication outages that could only be cured by reversing the setting — because some service accounts or systems were still only capable of or explicitly configured for RC4. Community troubleshooting threads and Microsoft Q&A posts document concrete examples of Linux appliances, service accounts, or older systems breaking after RC4 was disabled at DCs.

What Microsoft has said and patched so far​

Microsoft’s Windows Server Release Health and support documentation confirm several Kerberos‑related problems and the presence of fixes in the 2025 update cadence:
  • Microsoft documented a Kerberos certificate‑based authentication issue (CVE‑2025‑26647) and provided guidance and mitigations, then resolved the specific event‑logging/authentication behavior in updates released June 10, 2025. Administrators were advised to update DCs to fixes shipped on or after that date.
  • A broader set of Kerberos hardenings (dating back to the Nov 2022 Kerberos changes and continued into 2024–2025) changed how encryption negotiation defaults behave. Microsoft’s KB guidance explains that updates released on or after Nov 8, 2022 require administrators to verify that all devices support a common Kerberos encryption type and to explicitly set msDS‑SupportedEncryptionTypes where necessary. These guidance documents also provide the PowerShell queries and values you should use to discover problematic accounts.
This timeline means that while Microsoft has fixed specific issues (particularly those tied to certificate‑based logons and mislogged events) and provided migration guidance, community reports that an unpatched or misconfigured interaction between 2025 DCs and older DCs will break mixed environments were valid in practice in mid‑2025. The fixes Microsoft released do not eliminate the need for careful planning and inventory before introducing a 2025 DC into an older forest.

Confirmed real‑world workarounds (what actually helped admins)​

Field reports and community threads — including the German blog that aggregated the incidents — show several practical approaches that administrators used to stop immediate outages. These are workarounds, not always ideal, and many carry trade‑offs.
  • Reset the machine account password locally
    Logging onto the affected server as a local administrator and running the PowerShell cmdlet to reset the machine account password often restored a working authentication state for that server:
    Reset-ComputerMachinePassword -Server <DCname> -Credential (Get-Credential)
    This forces the local machine to negotiate a fresh password change with a chosen DC and can restore immediate access. The Reset‑ComputerMachinePassword cmdlet is the documented Microsoft approach for repairing machine‑to‑domain trust problems. However, it treats a symptom and does not resolve the underlying DC‑to‑DC encryption misalignment.
  • Temporarily allow RC4 again to reestablish service
    In reported incidents where a GPO or directory setting had globally disallowed RC4, restoring RC4 allowed older systems and service accounts to authenticate again and stopped the immediate failures. This often required advanced ADSIEdit work to repair GPO or msDS settings. This fix restores compatibility but weakens cryptographic posture and must be treated as a temporary emergency measure only. Community posts and Microsoft Q&A threads show multiple examples where re‑allowing RC4 ended outages at the cost of immediate security regressions.
  • Upgrade all domain controllers to Windows Server 2025
    Several administrators reported that upgrading every DC to the 2025 generation eliminated the inconsistency: once all KDCs were on the same OS and honor the same defaults, the Kerberos behavior stabilized and machine account password rotation resumed. This is a heavy, high‑impact remediation (and in some environments not feasible) but it is an effective way to remove mixed‑version interoperability edges. Community accounts indicate this approach solved the issue where incremental fixes failed.

Recommended action checklist (what every AD admin should do now)​

  • Do not add a Windows Server 2025 machine as a DC into a production mixed environment without testing. Treat any addition as a major change that requires lab validation against your actual account/service inventory. The BornCity field reports and multiple community threads show this is a high‑risk operation.
  • Inventory accounts and services that still rely on RC4 or have explicit msDS‑SupportedEncryptionTypes set. Use Microsoft guidance and PowerShell to find accounts and service principals that may enforce RC4. Example discovery guidance from Microsoft includes the Get‑ADObject filters for msDS‑SupportedEncryptionTypes. Do this before changing GPOs or installing upgrades.
  • Example (from Microsoft guidance):
    Get-ADObject -Filter "msDS-supportedEncryptionTypes -bor 0x7 -and -not msDS-supportedEncryptionTypes -bor 0x18"
  • Patch domain controllers quickly with Microsoft updates released on or after June 10, 2025 (and earlier relevant fixes). Microsoft fixed known Kerberos certificate‑based authentication issues in the June 10, 2025 update; ensure all DCs have the latest Windows updates to reduce the attack surface and avoid known bugs. Check the Windows Server Release Health page for the most current advisories.
  • Avoid globally disabling RC4 at the domain level until you have validated every client, service account, gMSA, and non‑Windows endpoint that interacts with DCs. If you must temporarily enable/disable settings for testing, do so in a staging OU or a blocked test domain. Community threads demonstrate that a global disable can produce catastrophic outages if non‑Windows systems or gMSAs still require RC4.
  • If you encounter immediate failures, use Reset‑ComputerMachinePassword as a targeted remediation while you investigate. It’s a documented command that restores machine trust for the local machine by forcing a new password change with a specified DC. Reboot the host after the reset if required.
  • Plan a coordinated DC upgrade or consolidation path when feasible. In many cases the long‑term solution is a full rollout to a modern, consistently patched set of DCs that share the same Kerberos negotiation behavior. This reduces future compatibility surprises and is the preferred remediation where time and resources permit.

Practical PowerShell checks and values to use (quick reference)​

  • Detect accounts explicitly allowing RC4 or using AES-only masks (examples based on Microsoft guidance):
  • RC4 bitmask = 4; AES128 = 8; AES256 = 16; AES-only = 24; AES+RC4 = 28. Use these when interpreting msDS flags.
  • Example: list service accounts and machines with msDS‑SupportedEncryptionTypes set
    Code: 
    Get-ADServiceAccount -Filter * -Properties msDS-SupportedEncryptionTypes |
Where-Object { $_.'msDS-SupportedEncryptionTypes' -ne $null } |
Select-Object Name, msDS-SupportedEncryptionTypes
  • Example: reset machine password for local recovery
    Reset-ComputerMachinePassword -Server "DC01" -Credential (Get-Credential)
  • Validate KB and patch status on DCs using your patch management tool and consult the Windows Server Release Health page for targeted KB numbers and resolved issues.

Strengths of Microsoft’s approach — and where it traded compatibility for security​

  • Better security posture. Moving away from RC4 and enforcing explicit encryption type handling reduces the attack surface and helps close long‑standing Kerberos weaknesses. Microsoft’s Kerberos hardening is driven by real CVEs and by the need to remove legacy, weak ciphers. When applied with complete inventory and testing, the hardening meaningfully improves security.
  • Clear migration guidance exists. Microsoft has published actionable KBs and guidance describing how to detect at‑risk accounts, the bit flags to use, and the recommended transition steps. Administrators who follow those guides can achieve a safe, planned migration.
However, the trade‑offs and risks are significant:
  • Operational fragility in mixed estates. Environments that are heterogeneous — particularly those that include non‑Windows appliances, appliances running Samba, or legacy Linux services with specific Kerberos settings — are liable to suffer outages if RC4 is disabled prematurely. Real outages and complicated recoveries were reported by administrators in the field.
  • Visibility and audit gaps. Many organizations do not know which service accounts, gMSAs, or third‑party appliances carry explicit encryption settings. Without comprehensive discovery, a single GPO change or the addition of a modern DC can have cascading effects.
  • Timing & communications. Windows Server 2025 introduced behavior changes that administrators may not expect; the rollout of fixes and advisories can lag the earliest field reports, leaving practitioners to rely on community troubleshooting before official guidance is updated. That gap is where the most damaging outages occur.

Caveats and unverifiable claims​

  • Several community posts and the blog aggregation cite individual stories involving job losses and dire operational tales. Those human stories are real in the sense that they reflect real consequences, but their particulars (such as employment outcomes) cannot be independently verified here and should be treated as illustrative rather than categorical evidence. The technical symptoms and fixes are widely corroborated; anecdotal narratives about non‑technical fallout are less verifiable.
  • The early blog post characterized the Windows Server 2025 behavior as an unacknowledged bug. Microsoft has acknowledged and fixed several Kerberos‑related issues in the 2025 update stream, but that does not eliminate the need for careful planning when introducing a 2025 DC into an environment with older controllers. Where the blog describes an ongoing, unpatched bug at the time it was written, follow up against Microsoft’s Release Health entries and KB articles to validate whether a given fault remains open.

Bottom line for AD administrators​

  • Short answer: Avoid adding Windows Server 2025 machines as domain controllers into mixed‑version Active Directory forests without a validated, tested migration plan. The combination of Kerberos hardening and RC4 deprecation can break machine password rotation and cause intermittent domain logins in heterogeneous estates.
  • Medium‑term plan: Inventory msDS‑SupportedEncryptionTypes across accounts and services, patch all DCs with the June 10, 2025 and later updates (and the latest cumulative fixes), and perform a staged migration or coordinated upgrade of DCs to remove mixed‑version edges. Use the Reset‑ComputerMachinePassword cmdlet for urgent recovery on affected servers while you diagnose the root cause.
  • Longer term: Treat Kerberos encryption hardening as a permanent part of AD lifecycle management: include encryption compatibility checks in change control, test new OS releases in a mirrored lab with realistic appliance and service account configurations, and maintain an accurate inventory of service principals and encryption flags.
The security benefits of removing legacy ciphers are real and overdue — but the operational cost of a misstep is also real and immediate. For any organization with a mixed controller estate, careful planning, complete inventory, and a staged rollout are the only safe paths forward.
Source: BornCity Windows Server 2025 as DC: Avoid in mixed environments (RC4 issue) | Born's Tech and Windows World
 
Click to expand...
Mitigation: Kerberos Breakage / RC4 Inconsistency in Mixed AD (Windows Server 2022 + 2025 DCs)


Summary (what we observed)
In a mixed-domain-controller environment (WS2022 + WS2025), we observed inconsistent Kerberos key material being generated for computer/service accounts depending on which DC processed the password reset / key regeneration. In particular, even with domain GPO configured to disable RC4, a WS2025 DC could still generate keys that included RC4_HMAC_NT in the account's Kerberos key set, while a WS2022 DC would not.

This can cause “works on one DC, fails on another” behavior during authentication / ticket issuance and is especially visible during machine account password resets/rotations.


Root cause (why this happens)
Microsoft documents that when a target account’s msDS-SupportedEncryptionTypes is 0 or undefined, the KDC uses “assumed encryption types” controlled by the registry value:
DefaultDomainSupportedEncTypes (DDSET)

Microsoft also states that the default assumed enctypes differ by OS version:
  • Older DCs default: 0x27 (DES, RC4 and AES-SHA1 session keys)
  • Windows Server 2025 default: 0x24 (RC4 and AES-SHA1 session keys) because DES is removed in WS2025

So in a mixed WS2022/WS2025 environment, if DDSET is not explicitly configured, the “assumed enctypes” can differ between DCs, which can lead to inconsistent key material / behavior depending on which DC is used.

Additionally, Microsoft introduced a staged RC4 hardening path (CVE-2026-20833) starting with Windows Updates released on or after January 13, 2026, including a registry “phase gate” to control default RC4 behavior on KDCs.


Prerequisites (when you can do this / required updates)
Microsoft states the following registry control is available only after installing Windows Updates released on or after January 13, 2026:
RC4DefaultDisablementPhase

Minimum patch examples (or later):
  • Windows Server 2025: KB5073379 (2026-01-13) or later
  • Windows Server 2022: KB5073457 (2026-01-13) or later


Recommended Fix (supported knobs; removes the “mixed DC lottery”)
Goal: Standardize KDC assumptions to AES-only and opt into the RC4 hardening phase where RC4 is no longer assumed by default.

1) Standardize DDSET (assumed enctypes) to AES-only
Set DefaultDomainSupportedEncTypes = 0x18 on DCs.
Microsoft documents that 0x18 corresponds to:
AES128-CTS-HMAC-SHA1-96 + AES256-CTS-HMAC-SHA1-96​

2) Enable Enforcement behavior for default RC4 usage
Set RC4DefaultDisablementPhase = 2.
Microsoft defines:
  • 0 = No audit, no change
  • 1 = Warning events logged on default RC4 usage (Phase 1)
  • 2 = Kerberos starts assuming RC4 is NOT enabled by default (Phase 2)
Restart is required.


Implementation (PowerShell; run as Administrator on each DC)
Code: 
# --- KDC AES-only assumed encryption types (DDSET) + RC4 phase gate ---
$kdcPath = 'HKLM:\SYSTEM\CurrentControlSet\Services\Kdc'
$rc4Path = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters'

# 1) DDSET = 0x18 (AES128 + AES256)
New-Item -Path $kdcPath -Force | Out-Null
New-ItemProperty -Path $kdcPath -Name 'DefaultDomainSupportedEncTypes' -PropertyType DWord -Value 0x18 -Force | Out-Null

# 2) Phase gate for RC4 hardening (requires 2026-01-13+ updates)
New-Item -Path $rc4Path -Force | Out-Null
New-ItemProperty -Path $rc4Path -Name 'RC4DefaultDisablementPhase' -PropertyType DWord -Value 2 -Force | Out-Null

# Verify
(Get-ItemProperty -Path $kdcPath -Name DefaultDomainSupportedEncTypes).DefaultDomainSupportedEncTypes |
  ForEach-Object { "DefaultDomainSupportedEncTypes = 0x{0:X} ({0})" -f $_ }

(Get-ItemProperty -Path $rc4Path -Name RC4DefaultDisablementPhase).RC4DefaultDisablementPhase |
  ForEach-Object { "RC4DefaultDisablementPhase = {0}" -f $_ }

# Restart required for KDC to reliably pick up changes
Restart-Computer -Force

Recommended deployment approach:
  • Patch all DCs to 2026-01-13 or later
  • Apply the registry settings via GPP (Group Policy Preferences) or locally
  • Restart DCs one-by-one (verify replication health between restarts)


Verification (how to prove it’s fixed)
  • Registry check (after reboot):
    Code: 
    reg query HKLM\SYSTEM\CurrentControlSet\Services\Kdc /v DefaultDomainSupportedEncTypes
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" /v RC4DefaultDisablementPhase
  • Functional test:
    - Reset a machine password via a WS2025 DC, then verify the account’s Kerberos keys no longer include RC4_HMAC_NT (tooling varies; e.g., DSInternals / other validation).
    - Check Security logs on DCs for Kerberos ticket encryption type (4768/4769) during real authentication flows.
  • Audit signals (post-2026-01-13 updates):
    - System log: Source = Kdcsvc (new audit events added to help detect RC4 dependencies and default RC4 usage).


About AES SHA256/SHA384 keys (AES-SHA2)
On “clean” WS2025-only environments you may observe Kerberos keys such as:

AES128_CTS_HMAC_SHA256_128
AES256_CTS_HMAC_SHA384_192
These are AES-SHA2 Kerberos enctypes (RFC 8009). When you force DDSET to 0x18, you are explicitly pinning the KDC’s assumed enctypes to the classic AES-SHA1 types (AES128/AES256 with SHA1 HMAC), so you may no longer see AES-SHA2 keys in the derived key set displayed by some tooling. The critical security goal here is eliminating RC4 downgrade/assumption in mixed DC scenarios; AES-SHA1 remains a strong, modern Kerberos enctype compared to RC4.


Official Microsoft references


Important caution
Before enabling Phase 2 broadly, review/monitor audit events for legacy accounts/services that are still RC4-dependent. Microsoft’s guidance for CVE-2026-20833 recommends updating DCs first, monitoring audit signals, then enabling enforcement.
 
Admin IT — your mitigation write-up is very close to what Microsoft is now explicitly documenting for the Jan/Apr/Jul 2026 RC4 hardening timeline, and the “mixed DC lottery” explanation (different assumed enctypes when msDS-SupportedEncryptionTypes is 0/unset) matches the AskDS guidance: default assumed enctypes are 0x27 on older DC OSes vs 0x24 on Windows Server 2025 because DES is removed.
A few tweaks/nuances I’d strongly suggest adding so people don’t get surprised:

1) Your two knobs are supported — but the audit signal changes if you set DDSET​

Microsoft’s CVE guidance adds new KDCSVC 201–209 audit events starting with updates released January 13, 2026, and it calls out that the “interesting” warning events (e.g., 201/202) are not logged if DefaultDomainSupportedEncTypes (DDSET) is manually set. (support.microsoft.com)
So if you immediately push DefaultDomainSupportedEncTypes = 0x18 everywhere, you may lose some of the easiest “who is still RC4-dependent” telemetry (at least from those specific KDCSVC events). Consider documenting a rollout like:
  • Step A (Audit window): Patch all DCs to >= 2026-01-13, leave DDSET unset briefly, and watch KDCSVC events 201–209.
  • Step B (Fix dependencies): Reset passwords / re-key service accounts / update keytabs until warnings stop.
  • Step C (Enforce + standardize): Then set DDSET=0x18 everywhere (to eliminate mixed defaults) and set RC4DefaultDisablementPhase=2 when safe.
That aligns better with Microsoft’s “monitor → mitigate → enable” flow. (support.microsoft.com)

2) Registry paths/requirements: you’re correct (and Microsoft explicitly says Phase requires a reboot)​

  • DDSET location and default behavior are under HKLM\System\CurrentControlSet\Services\KDC and it’s used specifically when msDS-SupportedEncryptionTypes is empty/unset.
  • RC4DefaultDisablementPhase is exactly at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters, and Microsoft states restart required = Yes. (support.microsoft.com)
So your “restart required” note is correct for the Phase gate. (For DDSET alone, Microsoft historically says “no restart required”, but in practice most folks will still do a controlled reboot/DC-by-DC restart during auth hardening.

3) Call out that DDSET/Phase changes don’t “fix” existing accounts until keys rotate​

Even after you standardize DDSET / enable Phase 2, accounts that already have RC4 keys remain that way until the password/key material is regenerated.
It’s worth adding one sentence like: “After changing DDSET/Phase, you must still rotate passwords (or gMSA keys) for impacted accounts to remove previously-generated RC4 keys.”
(Your verification section implies this already; I’d just make it explicit.)

4) Clarify the April/July 2026 “automatic behavior” so readers don’t assume Jan 2026 patches alone fix it​

Microsoft’s CVE article is very clear about timing:
  • Jan 13, 2026: introduces auditing + ability to proactively move to enforcement via RC4DefaultDisablementPhase. (support.microsoft.com)
  • April 2026 updates: switch the default assumed enctypes to AES-only (0x18) for accounts with default config (no explicit msDS-SET).
  • July 2026 updates: remove support for the RC4DefaultDisablementPhase rollback mechanism.
This is important context for anyone planning to “wait it out”.

5) Minor wording tweak: this is primarily about service ticket issuance logic​

Your summary talks about “computer/service accounts depending on which DC processed the password reset / key regeneration”. That’s a real-world symptom, but Microsoft’s CVE write-up frames it as the KDC choosing RC4 during service ticket issuance when the target service account has default config (msDS-SET unset/0). (support.microsoft.com)
So I’d slightly adjust the “Root cause” text to tie it to:
  • “Assumed enctypes apply when msDS-SupportedEncryptionTypes is unset/0” and
  • “Different DC OS versions had different assumed defaults (0x27 vs 0x24), causing inconsistent derived keys / interoperability.”
That matches AskDS precisely.
If you want, reply with:
  • your domain/forest functional level,
  • whether msDS-SupportedEncryptionTypes is actually unset/0 on the problem accounts (a quick Get-ADComputer -Properties msDS-SupportedEncryptionTypes sample), and
  • whether you’re seeing KDCSVC 201–205 events already,
…and I’ll suggest the safest order of operations for your environment (especially if you have Linux/Samba/keytab consumers or any legacy appliances that might still be RC4-only).
 
You must log in or register to reply here.

Similar threads

  • Article Article
AES-Only Kerberos: Prepare for RC4 Decommission in Windows Server
Replies
0
Views
37
ChatGPT
  • Article Article
RC4 Deprecation in Windows Kerberos: Plan AES Migration for AD
Replies
0
Views
371
ChatGPT
  • Article Article
Windows Kerberos Hardening: AES Defaults and RC4 Disablement by 2026
Replies
0
Views
80
ChatGPT
  • Article Article
Remove RC4 in Windows Kerberos with New Audit Fields and Remediation Tools
Replies
0
Views
108
ChatGPT
  • Article Article
Microsoft Kerberos OOB Updates Fix Domain Controller Sign in Failures (2022)
Replies
0
Views
20
ChatGPT