Microsoft Working on Hotfix for Windows Server 2003 Migration Problem

Microsoft is working on a hotfix for a client log-in problem that can occur in the process of migrating from Windows Server 2003 to Windows Server 2012 R2.

Users sometimes aren't able to log into their machines under this scenario because of a mismatch between the encryption types used by Kerberos in the two servers, according to Microsoft's Wednesday announcement. Kerberos is a network authentication protocol used in client-server authentication scenarios that employs symmetric key encryption technology. It has been used in Microsoft's server software since Windows 2000.

When organizations add Windows Server 2012 R2 to a computing environment that already has Windows Server 2003 in it, an encryption mismatch can take place. The domain controllers in Windows 2003 do not support the Advanced Encryption Standard (AES), which is used in Windows Server 2012 R2. On the other hand, the domain controllers in Windows Server 2012 R2 don't support the Data Encryption Standard (DES) that's used in Windows Server 2003.

Microsoft's Directory Services team claims to have received "quite a few calls lately" about the problem, which was causing some organizations to postpone their server upgrades. Windows Server 2003 will exit "extended support" on July 14, 2015, giving organizations less than a year to complete a potentially complicated upgrade or face losing security patch support for the near decade-old server. Microsoft has a site devoted to Window Server 2003 end-of-support issues, which can be found at this page.

Microsoft's engineering team is currently working on a hotfix for the log-in problem but indicated that "it's going to take us some time to get it out to you." In the meantime, the announcement lists three workaround approaches to avoid encountering the log-in problem.

The simplest approach is "Option 2," in which IT pros can use Group Policy to disable password resets for 120 days. Doing so will buy time for the hotfix to arrive (apparently, Microsoft expects to deliver its fix before the 120 days). However, Microsoft's announcement added a precaution that IT pros shouldn't forget to change the password reset policy back to normal if they use that workaround approach.

A potential drawback to all three of the workaround approaches listed in Microsoft's announcement is that individual machines will require reboots. It could prove problematic for organizations with large migration tasks.

Windows Server 2003 is still covered under Microsoft's extended support policy until next year, which means that Microsoft is still issuing security updates and nonsecurity hotfixes for the server. After July 14, 2015, though, that support goes away.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

  • Microsoft Ups Its Carbon Reduction Goals

    Microsoft on Thursday announced a corporatewide carbon reduction effort that aims to make the company "carbon negative" by 2030.

  • How To Dynamically Lock Down an Unattended Windows 10 PC

    One of the biggest security risks in any organization happens when a user walks away from their PC without logging out. Microsoft has the solution (and it's not a password-protected screensaver).

  • First Stable Chromium-Based Microsoft Edge Browser Released

    Microsoft on Wednesday announced the first release of its Chromium-based Microsoft Edge browser at the "stable" commercial-release stage.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.