Promoted Windows Sever 2019 to DC, getting many Event ID 37 errors

Question

I promoted a Windows Server 2019 server to a DC (the 2nd one in my domain). Now I am getting several Event ID 37 errors. Looks like I am getting them for user accounts and machines, that were working fine before this migration. Any ideas on what I need to to do secure and correct this issue?

The link provided in the Event Log is telling me I need to install an update from November 2021?
(Link from Event Viewer: https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041

Thank you for your help.

dave patrick · Answer

The two prerequisites to introducing the first 2019 or 2022 domain controller are that domain functional level needs to be 2008 or higher and older sysvol FRS replication needs to have been migrated to DFSRhttps://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Streamlined-Migration-of-FRS-to-DFSR-SYSVOL/ba-p/425405 I'd use dcdiag / repadmin tools to verify health `correcting all errors found` before starting `any` operations. Then stand up the new 2019 or 2022, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can decommission / demote old one.

dave patrick · Answer

Yes, install the latest SSU,
https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005112
followed by the latest cumulative updates
https://www.catalog.update.microsoft.com/Search.aspx?q=KB5008218
&nbsp;
Patch all the domain controllers as first step. Then each user will get the new improved authentication information PACs of Kerberos Ticket-Granting Tickets. (TGT) described in the KB
Then it looks like you may get one warning for every user.
https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041***Adds the new PAC to users who authenticated using an Active Directory domain controller that has the November 9, 2021 or later updates installed. When authenticating, if the user has the new PAC, the PAC is validated.***the ***PacRequestorEnforcement*** registry value's only function is to allow you to transition to the Enforcement phase early. Otherwise not needed.
&nbsp;
--please don't forget to upvote and Accept as answer if the reply is helpful--
&nbsp;
&nbsp;
&nbsp;

rsn71 · Answer

Both of those are already installed on the 2019 server.

When I go to the 2008 DC and check Windows Updates there is only one (1) that is needed: It is a Windows Malicious Software Removal Tools x64 KB890830.

dave patrick · Answer

For 2008 SP2 (vista kernel) install the SSU
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4493730
&nbsp;
followed by the latest cumulative update.
https://www.catalog.update.microsoft.com/Search.aspx?q=KB5008274
&nbsp;
&nbsp;
&nbsp;

rsn71 · Answer

Dave Patrick&nbsp;KB4493730 says "The update does not apply to your system"KB5008274 says "The Windows Modules Installer must be updated before you can install this package. Please https://support.microsoft.com/?kbid=925316, then retry setup."The URL in the above dialog box reply, is the same it takes me to - a general support page.When I saw The update does not apply, I looked at the System Tab it says Windows Server Standard FE. (??)I inherited this system from the previous employee, so I have no one to ask question about setup.**UPDATE: &nbsp;When I try to&nbsp;search for the KB in the URL&nbsp;KB925316 in&nbsp;the&nbsp;Windows Catalog nothing shows.

Forum Discussion

Promoted Windows Sever 2019 to DC, getting many Event ID 37 errors

9 Replies

Resources