Microsoft Working on Hotfix for Windows Server 2003 Migration Problem

Microsoft is working on a hotfix for a client log-in problem that can occur in the process of migrating from Windows Server 2003 to Windows Server 2012 R2.

Users sometimes aren't able to log into their machines under this scenario because of a mismatch between the encryption types used by Kerberos in the two servers, according to Microsoft's Wednesday announcement. Kerberos is a network authentication protocol used in client-server authentication scenarios that employs symmetric key encryption technology. It has been used in Microsoft's server software since Windows 2000.

When organizations add Windows Server 2012 R2 to a computing environment that already has Windows Server 2003 in it, an encryption mismatch can take place. The domain controllers in Windows 2003 do not support the Advanced Encryption Standard (AES), which is used in Windows Server 2012 R2. On the other hand, the domain controllers in Windows Server 2012 R2 don't support the Data Encryption Standard (DES) that's used in Windows Server 2003.

Microsoft's Directory Services team claims to have received "quite a few calls lately" about the problem, which was causing some organizations to postpone their server upgrades. Windows Server 2003 will exit "extended support" on July 14, 2015, giving organizations less than a year to complete a potentially complicated upgrade or face losing security patch support for the near decade-old server. Microsoft has a site devoted to Window Server 2003 end-of-support issues, which can be found at this page.

Microsoft's engineering team is currently working on a hotfix for the log-in problem but indicated that "it's going to take us some time to get it out to you." In the meantime, the announcement lists three workaround approaches to avoid encountering the log-in problem.

The simplest approach is "Option 2," in which IT pros can use Group Policy to disable password resets for 120 days. Doing so will buy time for the hotfix to arrive (apparently, Microsoft expects to deliver its fix before the 120 days). However, Microsoft's announcement added a precaution that IT pros shouldn't forget to change the password reset policy back to normal if they use that workaround approach.

A potential drawback to all three of the workaround approaches listed in Microsoft's announcement is that individual machines will require reboots. It could prove problematic for organizations with large migration tasks.

Windows Server 2003 is still covered under Microsoft's extended support policy until next year, which means that Microsoft is still issuing security updates and nonsecurity hotfixes for the server. After July 14, 2015, though, that support goes away.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Microsoft 365 Business To Get Azure Active Directory Premium P1 Perks

    Subscribers to Microsoft 365 Business (which is being renamed this month to "Microsoft 365 Business Premium") will be getting Azure Active Directory Premium P1 licensing at no additional cost.

  • How To Use .CSV Files with PowerShell, Part 1

    When it comes to bulk administration, few things are handier than .CSV files. In this two-part series, Brien demos his top techniques for working with .CSV files in PowerShell. First up: How to create a .CSV file.

  • SameSite Cookie Changes Rolled Back Until Summer

    The Chromium Project announced on Friday that it's delaying enforcement of SameSite cookie changes, and is temporarily rolling back those changes, because of the COVID-19 turmoil.

  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.