Hey all
I messed up a few days ago and have been trying to fix it. At this point I am almost convinced this may be a bug in server 2012 and not just my own inaneness or ineptness
The problem seems to be If I add allowed Kerberos encryption types to any of my domain controllers I lose connectivity through out the network.
The set up is 2-2012 std controllers with AD dns dhcp and files services on them in a small local network. While trying to get a program that needs DES_CBC_* to auth. to AD I set in group policy /computer/windows settings/security settings/security options/Network security:Configure encryptions types allowed for kerberos I ticked the top 2 options but forgot to tick the rest ( the defaults or current settings are not filled in) More on that later. Then I saved and gpupdate /force after about 2 mins my session disconnected (RD) and of course i was locked out from both controllers and no amount of login local or remote could get me back in. Ok no surprise even though i would have thought ntlm would have got me in from a local screen with local cached credentials. One of those controllers is a VM so I just reverted a snapshot and had the one DC back up.
Ok now the Problem I still have the other DC still in that state (DES_* only)and I have tried enabling the PDC for all encryption types but then I end up with the same problem on that controller (Is that a bug?) I wouldn't think adding allowed encryption should break the already configured types but it seems to unless I am really missing something obvious. So on the PDC I cant add allowed encryption types to it (breaks it) and the other I can't log in to to fix it. In my mind this should be a simple add encryption allowed types to the PDC then the other should just auth-replicate and fix itself with the background keys-auth-encryp hashing it out between them at lest so the broken one can replicate.
Question #1: Is there any way to hack my way into the broken machine even though the local accounts seem to be stored with the AES256 Hash default? I didnt mention it all logins go to an other user screen so not even seeing the right account names typed in? - only 2 local accounts, mine and admin
Question #2: How EXACTLY do I add other allowed encryptions types to kerberos with out breaking my Domain-assuming this isnt a bug? I'm guessing here I'm missing a simple step somewhere. Keep in mind this one is a XCP VM.
It seems that when the encryption changes Windows is not updating the stored credentials to the new ones or at least creating new ones on next login at least for the broken machine and not using NT auth as a last resort (local). And the other (PDC) I have no clue should just be click to add types reboot, done if a reboot is even needed.
thanks
mx
PS: I know what I did wrong so don't need best practices advice...for those holier then thou out there :) besides the time I've spent on trying to figure this out I could have re-installed 100 times over.....which leads me to..... WDS set up 2012 style .........................