Kerberos Event IDs 201–209 not appearing in System log on DCs – is this expected?
13 views
Skip to first unread message
Max Coder
Feb 9, 2026, 7:33:51 AM (11 days ago) Feb 9
to ntsysadmin
I recently installed the latest Cumulative Updates (CU) on my Domain Controllers.
After the update, I do **not** see any **Kerberos-related System event log entries (Event IDs 201–209)**.
However, I **do see Kerberos events in the Security log**, specifically **Event ID 4769**.
Is this behavior expected?
Additional details:
* On the Domain Controllers, the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\KDC\DefaultDomainSupportedEncTypes` is **not defined**.
* Kerberos encryption types are configured **only via Group Policy**: **Network security: Configure encryption types allowed for Kerberos**
* RC4\_HMAC\_MD5
* AES128\_HMAC\_SHA1
* AES256\_HMAC\_SHA1
* Future encryption types
I understand that Event IDs **201–209** are related to Kerberos AES transition auditing.
Is it normal that these events do not appear in the **System log** while Kerberos ticket events (4769) are logged in the **Security log**?
Are there any additional audit policies or registry settings required to enable the 201–209 Kerberos events?
After the update, I do **not** see any **Kerberos-related System event log entries (Event IDs 201–209)**.
However, I **do see Kerberos events in the Security log**, specifically **Event ID 4769**.
Is this behavior expected?
Additional details:
* On the Domain Controllers, the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\KDC\DefaultDomainSupportedEncTypes` is **not defined**.
* Kerberos encryption types are configured **only via Group Policy**: **Network security: Configure encryption types allowed for Kerberos**
* RC4\_HMAC\_MD5
* AES128\_HMAC\_SHA1
* AES256\_HMAC\_SHA1
* Future encryption types
I understand that Event IDs **201–209** are related to Kerberos AES transition auditing.
Is it normal that these events do not appear in the **System log** while Kerberos ticket events (4769) are logged in the **Security log**?
Are there any additional audit policies or registry settings required to enable the 201–209 Kerberos events?
Reply all
Reply to author
Forward
0 new messages