Windows Server 2025 as a DC

[Philip Elder]

I have a catch-up question for all y’all. I’ve been running myself stupid staying on top of a disaster recovery procedure execution since Labour Day Long Weekend.

 

What’s the consensus on deploying Windows Server 2025 and running DCPromo into an existing ADDS Forest/Domain with the intent to remove the existing DCs?

 

Are there still Kerberos issues if we pull the WinServ22 DCs out?

 

The existing WinServ22 DCs have been running fine since they were deployed three years ago but we have an opportunity to migrate to WinServ25 as we restore services to their new site.

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

MPECS Inc.

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Teams: Phili...@MPECSInc.Cloud

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

 

[Michael Kurzdorfer]

I suggest holding off on intermixing 2025 DCs with non-2025 DCs. We had an absolute mess in (thankfully only) our lab. We had all account types affected: User, Computer, and gMSA. I have asked, but haven't gotten any further updates on our ticket. Cleanup was a chore—the passwords needed to be reset...twice. Users will not be able to change their passwords on their own (requires a reset). There is no way to force a gMSA to change the password early. Either wait for it to change (the default is 30 days) or recreate it. The following is from the support ticket we opened 4 months ago. We have not heard any further updates or progress.

We wanted to provide you with an update regarding the authentication issue you've encountered, which appears to align with a known interoperability behavior between Windows Server 2025 and earlier domain controllers.

Specifically, the issue involves Kerberos authentication failures—most notably the ETYPE_NOSUPP error—following password changes that are processed across mixed domain controller environments. This behavior can result in authentication errors for user, computer, service, or gMSA accounts.

The root cause stems from how encryption keys are handled during password changes. If a password change is serviced by a Pre-Windows Server 2025 domain controller and then followed by another change on a 2025 controller, AES keys may be discarded if you attempt to authenticate with a Pre-2025 Domain controller, leaving only RC4 keys available. This can lead to failed authentication attempts, especially in environments enforcing AES encryption like yours.

There are two possible workarounds:

1. Standardize on Windows Server 2025 DCs
   Promote all DCs to Windows Server 2025. This ensures AES keys availability. 
2. Remove Windows Server 2025 DCs temporarily
   Continue running your domain controllers only on Windows Server 2022-2019-2016 until a product fix is available. In this case, you should reset the passwords of affected computers, users, service accounts twice to rebuild the missing encryption keys. For Group Managed Service Accounts (gMSAs), you will need to wait until the automatic password reset occurs (30 days) or create new gMSAs, since you cannot force shorter reset intervals post-creation.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/5a92896f24fa4ad786403678acd7fab4%40MPECSInc.Ca.

[Jonathan Leslie]

So then just how to you upgrade DCs to 2025 (as suggested in Michael's first option) when you have multiple DCs without running into this now-known problem before you get the last DC upgraded?

[Michael Kurzdorfer]

We ended up removing the 2025 DC from our lab domain and spent weeks cleaning up the damage it caused. There is no way I could proceed with adding 2025 DCs in any of our production domains with this bug. I simply have too many DCs in our various domains to "safely" cut everything over at once (not that I would want to).

Mike

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/77590f31-e153-4623-bb99-421cbeb2ca46n%40googlegroups.com.

[Philip Elder]

Did Michael reply to this thread? Or is this in reference to a previous one?

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

MPECS Inc.

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Teams: Phili...@MPECSInc.Cloud

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

 

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/77590f31-e153-4623-bb99-421cbeb2ca46n%40googlegroups.com.

[James Iversen]

Perhaps it’s time to revisit in place upgrades of dc’s? As long as they don’t have a CA installed on them, would this still be a hard nope?

Sent from my iPhone

On Dec 7, 2025, at 11:35 PM, Philip Elder <Phili...@mpecsinc.ca> wrote:



To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/eae62b9b66e046898d2a6e8504c116f3%40MPECSInc.Ca.

[Wright, John M]

I don’t know about doing that with DCs but I’ve done two in-place upgrades on other servers.  Never again.  They had problems I’d never seen before and would struggle to explain.

 

--

John Wright

IT Support Specialist

1800 Old Bluegrass Avenue, Louisville, KY 40215

502.708.9953

Please submit IT requests to Hazelwoo...@bluegrass.org

24 Hour Helpline 1.800.928.8000

  

CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of James Iversen
Sent: Monday, December 8, 2025 6:38 AM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Windows Server 2025 as a DC

 

EXTERNAL EMAIL - This email was sent by a person from outside your organization. Exercise caution when clicking links, opening attachments or taking further action, before validating its authenticity.

Secured by Check Point

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/2574E805-1792-472D-8207-3AB67700F0D8%40gmail.com.

[Jonathan Leslie]

I got a reply from Michael which I thought was a reply to all and my message was a reply to his. His reply was basically not to add any 2025 DCs until the bug is fixed.

 

Jonathan

--
You received this message because you are subscribed to a topic in the Google Groups "ntsysadmin" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ntsysadmin/HIGnXIvnxIU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/eae62b9b66e046898d2a6e8504c116f3%40MPECSInc.Ca.

[Jonathan Leslie]

Based on what the issue is, it seems like adding a 2025 member server would be no problem. As for upgrading a DC, I've gotten the impression from what I've read that upgrading from 2022 to 2025 is not like upgrading any previous versions and MS has somehow designed it so the 2022 to 2025 upgrade would not cause issues like upgrading previous versions. I may have mis-read that or reached the wrong conclusion but that's what it seems like to me. However, I'm not in any hurry to introduce problems into the domain so would rather play it safe and confine that to a lab for now.

[Heaton, Joseph@Wildlife]

Interesting.  We kind of recently did a widespread upgrade of around 30 or more servers from 2012R2 to 2019. The only issues we ran into was in the IIS area, but I don’t remember exactly what the issue was.

 

That said, whether you do in-place upgrade, or bring in new, I think you’d run into that bug on the DCs.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Wright, John M
Sent: Monday, December 8, 2025 5:35 AM
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] Windows Server 2025 as a DC

 

WARNING: This message is from an external source. Verify the sender and exercise caution when clicking links or opening attachments.

 

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/PH8PR12MB67231703619A4F2A74B384FC91A2A%40PH8PR12MB6723.namprd12.prod.outlook.com.