KDC Authentication problems with 2003 to 2008 domain functional level
by Robin on May.09, 2012, under Active Directory Domain Services, Exchange, Hyper-V, Windows 2008
Recently I have had problems connecting to the console on a number of 2008 R2 Hyper-v guest virtual machines. The error was “An Authentication Error Has Occurred. The Encryption Type Requested Is not supported by the KDC” while I have also had a single Exchange 2010 server fail with the following event IDs: 2102, 2103, 2114, 9106 all reporting LDAP problems, non-responding domain controllers and global catalogs:
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1696). Topology discovery failed, error 0×80040952 (LDAP_LOCAL_ERROR (Client-side internal error or bad LDAP message)). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description. To do this, use Microsoft Knowledge Base article 218185, “Microsoft LDAP Error Codes.” Use the information in that article to learn more about the cause and resolution to this error. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers.
Process STORE.EXE (PID=4084). All Global Catalog Servers in forest DC=xxx,DC=xx,DC=xx are not responding:
Process STORE.EXE (PID=4084). All Domain Controller Servers in use are not responding:
Attempting to open the Exchange management console on the local server console ended with a HTTP server error status 500 and “Kerberos” authentication failed.
The Exchange server was able to ping and resolve all DNS names correctly and the problem went away on restarting only to re-occur in 24 hours or so.
The rather simple resolution in the end turned out to be restarting the “KERBEROS DISTRIBUTION KEY (KDC) service” on all Domain controllers. While Restarting all Domain controllers in their entirety is also a good idea it isn’t always possible (or desirable) on a live production environment.
May 10th, 2012 on 4:04 pm
THANK YOU! I just ran into this problem when I bumped our Domain Functional Level from 2003 to 2008 R2. One of our Exchange Servers starting having the LDAP errors and bombed out, just like you mentioned. I restarted the Box, only to have the problem come back in about 10 hours. Your solution worked great! I didn’t even have to restart Exchange, it just came right back up. I noticed you had just posted this entry, is your system still functional? I’m hoping this is the last of this issue.
May 23rd, 2012 on 7:45 pm
Just to be clear, you experienced this issue right after you raised the domain functional level to 2008? And since you didn’t reboot the dc (or all the DC’s) the KDC service wasn’t serving out Kerberos information.
Did you have any other issues with ‘legacy’ applications using Kerberos authentication?
We experienced the same issue a few days ago when the Domain functional level was upgraded to 2008 r2. We had issues with a reporting software we use that uses Kerberos authentication as well.
As a side note/question, had the domain in use ever had an authorative restore done on it? I know this does something to the krbtgt service account…and our domain had years ago. I don’t know if this made the issue more rare than above or if people just automatically reboot their DC’s after a domain level upgrade.
May 27th, 2012 on 9:13 pm
Hi Nick, The issue didn’t occur instantly after the domain functional level was raised, maybe 10-12 hours after.
We had a few issues with Mac computers occasionally failing to authenticate which was also resolved when the KDC service was restarted.
As far as I am aware there has not been an authoritative restore on this domain, but I can’t be 100% on that.
May 29th, 2012 on 10:20 pm
For me, the issue occured literaly within about 30 minutes of changing the Functional Level. It only affected one of our Exchange servers, the one with Mailboxes on it. The HUB/CAS server didn’t seem to have any issues, except for the fact that it wasn’t able to talk to the MB server properly anymore. I have not had the issue re-occur once the KDC services were restarted. I’ve never had to do an Authoritative Restore on our Domain before either.
June 5th, 2012 on 3:54 am
I’ve also seen this, thanks to a colleague who found this posting. If the affected Exchange server is a DAG member, it may log a DCOM error in the System log trying to access the witness server, if one is configured.
July 25th, 2012 on 3:46 pm
This issue plagued us for a week after raising the Domain Functional level from 2003 to 2008R2: Exch2010 server logged events that no DC’s were available (even though all 6 DC’s were pingable); Exch client connections failed, and EMC errored out; RDP connections failed w/Kerberos errors. Rebooting the DC’s didn’t help, but restarting the Kerberos service seems to have done the trick: 24 hours now of solid, stable Exchange. Crossing my fingers that this “fix” is permanent… thanks, Robin!
September 3rd, 2012 on 5:58 pm
Hi, I just had the exact same issue happen… this article saved me alot of grief. Thank you!
We just raised our domain function level from 2003 to 2008R2 two days ago and everything seemed ok for awhile. After about a day, I had the same type of log entries happening on our exchange transport server and eventually, the exchange address book and exchange transport service went offline and wouldn’t start back up. After restarting all of our domain controller Kerberos Key Distribution Services, those log entries stopped and everything returned to normal and those stopped services started just fine.
May 5th, 2013 on 12:24 am
This comments section is becoming my go to place for good solid info. If any of you guys want to help, I’m a moderator over at EF (click my name if you like) and I am always telling the admins about this place and the caliber of support knowledge just hanging around. I think you guys would be a great fit over there as well whenever you have time. Thanks, and hope to see you there some time.
May 16th, 2013 on 3:15 am
Hello, I am having this issue every time that I restart my servers on a VMware VSphere 5 environment. I haven’t raised domain function level or made any change on Exchange 2010. Exchange was working fine for a year. If I restart the KDC service and the MS Exchange Topology service it works fine until I restart the server again and I have to do the same procedure. What could be the problem? Any ideas on how to fix it for good?
Thank you