We are running a Windows 2012R2 domain environment which we want to upgrade. While doing prechecks we ran dcdiag and found few Kerberos related errors, for example: "While processing a TGS request for the target server email address removed for privacy reasons, the account email address removed for privacy reasons did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18 17. The accounts available etypes were 23 18 17. Changing or resetting the password of service_account will generate a proper key."

I have verified that the service account is not enabled to use DES. Event log analysis shows KDC errors are from a year back, although we have not experienced any issues so far with the service account. It is a critical account used for many services accessing the same database hence we don't want to make any changes to the password as suggested in dcdiag.

Could anybody share some thoughts on how to get rid of these events without resetting the password?