2026-04 Update Breaks Domain Logins

Question

I have an Active Directory domain that is old (from 2000!) that has been upgraded and moved to newer versions of Windows Server and Active Directory. I have domain controller VMs running Windows Server 2025 Standard Edition. Unfortunately they installed the latest 2026-04 patches which my have changed the Kerberos encryption from RC4 to AES. This has resulted in my not being able to log into any Active Directory domain accounts and the domain controllers themselves. I can only log into workstations using the local account.

Suffice to say this a nightmare. Any ideas how to fix it since I can't access the usual tools like Active Directory Users and Computers, Hyper-V won't connect to the VMs, etc. Thanks.

S

thomas heuberger · Accepted Answer

You will not have a change to access the domain controller, because there are no local users available.

The only possible solution I have found is:

Restore domain controller from backup before install the update.
Then reset the password of the administrator. This will force to generate an AES key.
Install the update again.

Please have also a look on:

https://learn.microsoft.com/en-us/windows-server/security/kerberos/detect-remediate-rc4-kerberos
https://support.microsoft.com/en-us/topic/how-to-manage-kerberos-kdc-usage-of-rc4-for-service-account-ticket-issuance-changes-related-to-cve-2026-20833-1ebcda33-720a-4da8-93c1-b0496e1910dc

In my environment it has worked. Hope it works for you.

Good luck

Forum Discussion

2026-04 Update Breaks Domain Logins

2 Replies