Microsoft Working on Hotfix for Windows Server 2003 Migration Problem
Microsoft is working on a hotfix for a client log-in problem that can occur in the process of migrating from Windows Server 2003 to Windows Server 2012 R2.
Users sometimes aren't able to log into their machines under this scenario because of a mismatch between the encryption types used by Kerberos in the two servers, according to Microsoft's Wednesday announcement. Kerberos is a network authentication protocol used in client-server authentication scenarios that employs symmetric key encryption technology. It has been used in Microsoft's server software since Windows 2000.
When organizations add Windows Server 2012 R2 to a computing environment that already has Windows Server 2003 in it, an encryption mismatch can take place. The domain controllers in Windows 2003 do not support the Advanced Encryption Standard (AES), which is used in Windows Server 2012 R2. On the other hand, the domain controllers in Windows Server 2012 R2 don't support the Data Encryption Standard (DES) that's used in Windows Server 2003.
Microsoft's Directory Services team claims to have received "quite a few calls lately" about the problem, which was causing some organizations to postpone their server upgrades. Windows Server 2003 will exit "extended support" on July 14, 2015, giving organizations less than a year to complete a potentially complicated upgrade or face losing security patch support for the near decade-old server. Microsoft has a site devoted to Window Server 2003 end-of-support issues, which can be found at this page.
Microsoft's engineering team is currently working on a hotfix for the log-in problem but indicated that "it's going to take us some time to get it out to you." In the meantime, the announcement lists three workaround approaches to avoid encountering the log-in problem.
The simplest approach is "Option 2," in which IT pros can use Group Policy to disable password resets for 120 days. Doing so will buy time for the hotfix to arrive (apparently, Microsoft expects to deliver its fix before the 120 days). However, Microsoft's announcement added a precaution that IT pros shouldn't forget to change the password reset policy back to normal if they use that workaround approach.
A potential drawback to all three of the workaround approaches listed in Microsoft's announcement is that individual machines will require reboots. It could prove problematic for organizations with large migration tasks.
Windows Server 2003 is still covered under Microsoft's extended support policy until next year, which means that Microsoft is still issuing security updates and nonsecurity hotfixes for the server. After July 14, 2015, though, that support goes away.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.