Dear all,
Just a word of warning for anyone considering upgrading your AD from
2003 to 2012R2, we've just completed this (for both OS and FL), and have
hit what appears to be a Kerberos bug.
It seems that when machines attempt to renew their machine password
every 30 days, they are no longer able to do so, and users are unable to
logon (an 'incorrect username or password' error appears despite the
correct credentials being used). The system is also no longer manageable
remotely. The System event log shows Kerberos related errors. This is
affecting all AD desktops and servers from Windows7/8.1 up to and
including Windows 2012R2. The only fix is to reboot the affected
machine, or alternatively configure the machine password reset interval
in group policy to a greater number of days, or disable it altogether,
neither of which is ideal or best practise.
There isn't a great deal on the web about this, but we've logged a call
with MS, and they indicate this is a known issue, and occurs
specifically when performing an AD upgrade from 2003 to 2012R2. They are
currently investigating the issue, but there is no timescale to a fix.
See an example Technet discussion on this below [1].
I just wanted to a) warn anyone considering this upgrade to be aware of
this bug, and b) see if anyone else on the list has been affected by
this, and has found any other workaround/solutions
Many Thanks
Mark Edwards
IT Services
University of Bath
http://social.technet.microsoft.com/Forums/windowsserver/en-US/e16fcdda-8e5a-4b30-bbe0-d847bcb68b4e/dc-refuses-administrator-log-on?forum=winserverDS
|