Microsoft Working on Hotfix for Windows Server 2003 Migration Problem -- Redmondmag.com

Microsoft Working on Hotfix for Windows Server 2003 Migration Problem

By Kurt Mackie
07/25/2014

Microsoft is working on a hotfix for a client log-in problem that can occur in the process of migrating from Windows Server 2003 to Windows Server 2012 R2.

Users sometimes aren't able to log into their machines under this scenario because of a mismatch between the encryption types used by Kerberos in the two servers, according to Microsoft's Wednesday announcement. Kerberos is a network authentication protocol used in client-server authentication scenarios that employs symmetric key encryption technology. It has been used in Microsoft's server software since Windows 2000.

When organizations add Windows Server 2012 R2 to a computing environment that already has Windows Server 2003 in it, an encryption mismatch can take place. The domain controllers in Windows 2003 do not support the Advanced Encryption Standard (AES), which is used in Windows Server 2012 R2. On the other hand, the domain controllers in Windows Server 2012 R2 don't support the Data Encryption Standard (DES) that's used in Windows Server 2003.

Microsoft's Directory Services team claims to have received "quite a few calls lately" about the problem, which was causing some organizations to postpone their server upgrades. Windows Server 2003 will exit "extended support" on July 14, 2015, giving organizations less than a year to complete a potentially complicated upgrade or face losing security patch support for the near decade-old server. Microsoft has a site devoted to Window Server 2003 end-of-support issues, which can be found at this page.

Microsoft's engineering team is currently working on a hotfix for the log-in problem but indicated that "it's going to take us some time to get it out to you." In the meantime, the announcement lists three workaround approaches to avoid encountering the log-in problem.

The simplest approach is "Option 2," in which IT pros can use Group Policy to disable password resets for 120 days. Doing so will buy time for the hotfix to arrive (apparently, Microsoft expects to deliver its fix before the 120 days). However, Microsoft's announcement added a precaution that IT pros shouldn't forget to change the password reset policy back to normal if they use that workaround approach.

A potential drawback to all three of the workaround approaches listed in Microsoft's announcement is that individual machines will require reboots. It could prove problematic for organizations with large migration tasks.

Windows Server 2003 is still covered under Microsoft's extended support policy until next year, which means that Microsoft is still issuing security updates and nonsecurity hotfixes for the server. After July 14, 2015, though, that support goes away.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.