Microsoft Working on Hotfix for Windows Server 2003 Migration Problem

Microsoft is working on a hotfix for a client log-in problem that can occur in the process of migrating from Windows Server 2003 to Windows Server 2012 R2.

Users sometimes aren't able to log into their machines under this scenario because of a mismatch between the encryption types used by Kerberos in the two servers, according to Microsoft's Wednesday announcement. Kerberos is a network authentication protocol used in client-server authentication scenarios that employs symmetric key encryption technology. It has been used in Microsoft's server software since Windows 2000.

When organizations add Windows Server 2012 R2 to a computing environment that already has Windows Server 2003 in it, an encryption mismatch can take place. The domain controllers in Windows 2003 do not support the Advanced Encryption Standard (AES), which is used in Windows Server 2012 R2. On the other hand, the domain controllers in Windows Server 2012 R2 don't support the Data Encryption Standard (DES) that's used in Windows Server 2003.

Microsoft's Directory Services team claims to have received "quite a few calls lately" about the problem, which was causing some organizations to postpone their server upgrades. Windows Server 2003 will exit "extended support" on July 14, 2015, giving organizations less than a year to complete a potentially complicated upgrade or face losing security patch support for the near decade-old server. Microsoft has a site devoted to Window Server 2003 end-of-support issues, which can be found at this page.

Microsoft's engineering team is currently working on a hotfix for the log-in problem but indicated that "it's going to take us some time to get it out to you." In the meantime, the announcement lists three workaround approaches to avoid encountering the log-in problem.

The simplest approach is "Option 2," in which IT pros can use Group Policy to disable password resets for 120 days. Doing so will buy time for the hotfix to arrive (apparently, Microsoft expects to deliver its fix before the 120 days). However, Microsoft's announcement added a precaution that IT pros shouldn't forget to change the password reset policy back to normal if they use that workaround approach.

A potential drawback to all three of the workaround approaches listed in Microsoft's announcement is that individual machines will require reboots. It could prove problematic for organizations with large migration tasks.

Windows Server 2003 is still covered under Microsoft's extended support policy until next year, which means that Microsoft is still issuing security updates and nonsecurity hotfixes for the server. After July 14, 2015, though, that support goes away.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Exploring OCR, a New Way To Get Data into Excel

    Microsoft recently added a new optical character recognition feature to Excel that lets users import data from a photograph taken from a smartphone. Here's how to use it.

  • Microsoft Authenticator App To Get Real-Time Phishing Protections

    Microsoft is working on adding capabilities to its Microsoft Authenticator app to help defeat security breaches enabled by advanced attack techniques, including phishing and man-in-the-middle methods.

  • A Quicker Way To Create Hyper-V Inventory Reports

    If you need to generate Hyper-V inventory reports but don't want the hassle of writing your own custom PowerShell script, here is a shortcut.

  • Microsoft Previews New Azure Active Directory Roles and Bulk Management Capability

    Microsoft this week announced a couple of noteworthy previews of new capabilities for IT pros using the Azure Active Directory identity and access management service.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.