NTLM Authentication Failing once Domain Controller was upgraded to Windows Server 2016

NTLM Authentication Failing once Domain Controller was upgraded to Windows Server 2016. Application server is running Server 2012 R2. We have one domain controller left on 2012, NTLM works fine on that controller. When I switch to one of the 2016 servers, it fails. It seems that this may be the issue:

https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls (thanks to RichM for identifying this back in 2019).

What I would like to know is this: if I upgrade my application server to Windows Server 2016, will that fix my issue as well or will I have the same issues as with a an app server on 2012 R2?

It's pretty hard to answer accurately to your question as we do not have a complete insight of your network.

This being said, since you are having problems with NTLM, it sounds like a good opportunity to jump over Kerberos, unless you need NTLM for backwards compatibility.

If you absolutely need NTLM to work, I suggest you do some troubleshooting and find the root cause. Here are some tips that come to mind :

• Validate that your apps are compatible with Windows Server 2016.
• Review group policies.
• Analyze logs.

Cheers!