I am supporting Windows again after many years. This client I'm assigned to has Domain Controllers running 2008r2 and 2012r2 and they want Azure AD Connect Password Hash Sync. The minimum requirement for this is a functional level of 2016.
I installed a new Server 2019 instance, migrated the FSMO roles, and ensured all DCs are replicating to each other. I created a new domain user and ran the logon script that maps a few network drives from an old NetApp FAS2552 running Ontapp 8.2.2.7. This was successful.
After applying patches and rebooting, the new DC will no longer connect the drives. I believe it has something to do with KDC changes made in November 2022, but I'm not sure.
I added another Server 2019 instance to the network, logged in locally, and connected the NetApp drives successfully. Then I installed Windows Security Updates, and after a reboot the drives failed the same way as they do on the new DC.
After digging around, I found a couple of things:
This article
And a random bit about some Registry changes:
reg add HKLM\system\currentcontrolset\services\kdc /v KrbtgtFullPacSignature /t REG_DWORD /d 0 /f
reg add HKLM\system\currentcontrolset\services\kdc /v ApplyDefaultDomainPolicy /t REG_DWORD /d 0 /f
reg add HKLM\system\currentcontrolset\services\netlogon\parameters /v RequireSignorSeal /t REG_DWORD /d 0 /f
These changes worked on the test instance and the NetApp drives connected again. So long as the %logonserver% is one of the old Domain Controllers.
These changes do not work on the new domain controller, and when any client uses it as their %logonserver%, the drives fail to connect.
I'm ready to uninstall Windows Security updates to see if the NetApp drives connect again. Then inform the client their environment cannot be patched until they upgrade their NetApp OS to support AES KDC auth.
Any help is much appreciated.
