KDC Authentication problems with 2003 to 2008 domain functional level
Recently I have had problems connecting to the console on a number of 2008 R2 Hyper-v guest virtual machines. The error was “An Authentication Error Has Occurred. The Encryption Type Requested Is not supported by the KDC” while I have also had a single Exchange 2010 server fail with the following event IDs: 2102, 2103, 2114, 9106 all reporting LDAP problems, non-responding domain controllers and global catalogs:
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1696). Topology discovery failed, error 0×80040952 (LDAP_LOCAL_ERROR (Client-side internal error or bad LDAP message)). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description. To do this, use Microsoft Knowledge Base article 218185, “Microsoft LDAP Error Codes.” Use the information in that article to learn more about the cause and resolution to this error. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers.
Process STORE.EXE (PID=4084). All Global Catalog Servers in forest DC=xxx,DC=xx,DC=xx are not responding:
Process STORE.EXE (PID=4084). All Domain Controller Servers in use are not responding:
Attempting to open the Exchange management console on the local server console ended with a HTTP server error status 500 and “Kerberos” authentication failed.
The Exchange server was able to ping and resolve all DNS names correctly and the problem went away on restarting only to re-occur in 24 hours or so.
The rather simple resolution in the end turned out to be restarting the “KERBEROS DISTRIBUTION KEY (KDC) service” on all Domain controllers. While Restarting all Domain controllers in their entirety is also a good idea it isn’t always possible (or desirable) on a live production environment.