環境:
DC主機作業系統: win2012r2
網域&樹系功能等級: 2003
升級流程:
1. 新增win2022 DC主機,設定5大角色
2. 移除win2012r2 DC主機
3. 網域&樹系功能等級升級到2016
4. 新增win2025 DC主機,出現異常
異常狀況:
不管新增幾台win2025 DC主機,升級成DC角色重開機後,win2025 DC主機遠端桌面或本機無法登入,都會出現帳號密碼有錯,安裝最新的windows更新,使用不同的domain admin帳號登入都一樣無法登入
解決過程:
上網查詢相關解法,可以先在win2022DC主機上,用ps session連到win2025DC主機,把KDC服務關閉,就可以登入win2025DC,但登入後,就算把KDC服務開啟,也是無法正常與其他DC主機同步。
試過ChatGPT提供的很多方法,都無法解決,但在一些文件上有看到重設krbtgt這個系統帳號的密碼,就可以解決問題了,很多人建議去下載一個重設krbtgt密碼的powershell,做重設密碼。
先請微軟連線確認問題,收集完相關log,也是判斷KDC服務的一些加密協定不支援,造成登入失敗,DC同步失敗等問題,因此建議重設krbtgt這個系統帳號的密碼,用ADUC去重設,沒有提供powershell來做重設。
在第一次重設krbtgt密碼後,新建的win2025主機升成DC後,就可正常登入運作了,不用等第二次重設。
但微軟有建議,要在10小時後重設第二次,所有隔天有再重設一次。
Environment
-
Existing DC Operating System: Windows Server 2012 R2
-
Domain & Forest Functional Level: Windows Server 2003
Upgrade Procedure
-
Added a new Windows Server 2022 domain controller and transferred all five FSMO roles to it.
-
Removed the Windows Server 2012 R2 domain controller.
-
Upgraded the domain and forest functional levels to Windows Server 2016.
-
Added a new Windows Server 2025 domain controller — issue occurred.
Issue Description
After promoting any Windows Server 2025 machine to a domain controller and rebooting, it becomes impossible to log in either locally or via Remote Desktop.
The system reports that the username or password is incorrect.
Installing the latest Windows updates or using different domain administrator accounts does not resolve the problem — all attempts to log in fail.
Troubleshooting Process
Based on online findings, a temporary workaround was discovered:
From the Windows Server 2022 DC, use PowerShell remoting (PSSession) to connect to the affected Windows Server 2025 DC and stop the KDC service.
After stopping the KDC service, login becomes possible.
However, once logged in, re-enabling the KDC service does not restore normal replication or synchronization with other domain controllers.
Multiple potential solutions provided by ChatGPT and other sources were tested but did not resolve the issue.
Several documents mentioned that resetting the “krbtgt” system account password could resolve similar problems. Many users recommended using a PowerShell script to perform the reset.
Microsoft was then engaged for remote troubleshooting. After reviewing the collected logs, Microsoft determined that the issue was caused by unsupported encryption protocols within the KDC service, which led to authentication and replication failures.
Microsoft advised resetting the krbtgt account password using Active Directory Users and Computers (ADUC), rather than via PowerShell.
After performing the first krbtgt password reset, newly promoted Windows Server 2025 DCs were able to log in and operate normally.
A second reset was not immediately required for functionality.
However, Microsoft still recommended performing a second krbtgt password reset after 10 hours, which was carried out the following day as advised.
沒有留言:
張貼留言