Nov 15 2022 10:50 AM
We have installed the Nov 8 update on 2 of our 3 domain controllers, and one of our WFOC providing our File Servers. It was identified that the cluster that was updated was offline. Even after adding the reg key and value for "disable mode" on our patched domain controllers, the problem persisted.
After following the trail through the logs on our DCs all our file cluster AD objects were failing kerberos communication with the DCs. Even though we have nothing "set" in our domain to limit or explicitly set any kerberos encryption types, those AD objects were set to only use AES 128 and AES 256. Which is fine and desired of course. But they were all attempting to communicate on RC4.
Once we used GPO to set those AD objects to also be able to use RC4 encryption, everything started to work as it should. The implication being that the Windows Failover Cluster is using RC4. This is true for both the unpatched and patched clusters.
My question for this community is why, and how do I get it to use AES128/256?
Domain Controllers:
-Windows Server 2019 Datacenter - domain and forest levels are set to 2016
File Clusters:
Windows Server 2019 Datacenter with 2 nodes
-Failover Cluster
-DFS Namespace and Replication
-WCF Services
-File and Storage Services
-File Server Resource Manager
Dec 08 2022 08:18 AM
Dec 08 2022 09:05 AM