A Windows Server 2008 or Windows Server 2008 R2-based domain controller does not function correctly after restart

Consider the following scenario:

• You have a domain that contains Windows Server 2003-based domain controllers, Windows Server 2008-based domain controllers, and Windows Server 2008 R2-based domain controllers.
  Note Windows Server 2008 R2-based domain controllers are not required to experience this issue.
• You disable the Data Encryption Standard (DES) encryption type by using the Network security: Configure encryption types allowed for Kerberos Group Policy setting in the domain.
• You restart the Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2-based domain member or domain controller.

In this scenario, the computer may not function correctly after you restart it.

For example, you cannot contact services on the computer, such as remote procedure call (RPC) requests or Lightweight Directory Access Protocol (LDAP) queries. You cannot logon interactively. If you remotely connect to the event log of an affected domain controller that is running a DNS server, you find there are many event ID 4000 and event ID 4007 errors logged by the DNS Server service. These event ID errors are logged by the DNS Server service if the domain controller provides DNS services.

Notes

• In most cases the error in LDAP is as follows:
  81, LDAP_SERVER_DOWN.
• There may be other error events triggered by services or applications that use the local computer identity to access local resources through other user mode services. For example, a middleware application that uses a local SQL back-end.

This issue occurs because Advanced Encryption Standard (AES) keys are not built correctly by the Windows Server 2008-based domain controllers when DES is disabled in the domain. The AES kys in the Kerberos Ticket cannot be used as a result.

To avoid this issue, this hotfix has to be installed on all Windows Server 2008 domain controllers and also on all Windows Vista and Windows Server 2008 domain members. After this hotfix is deployed, you have to change the computer password on the affected computers:

• For domain controllers, run as domain administrator, open the command prompt, and then run the following command:
  netdom resetpwd /Server:remote DC
• For domain members, run as local administrator, open the command prompt, and then run the following command:
  nltest /sc_change_pwd:domain name
  Note NLTEST can also be executed remotely by running the /server:computername command at the command prompt.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must be running one of the following operating systems:

• Windows Vista Service Pack 1 (SP1)
• Windows Vista Service Pack 2 (SP2)
• Windows Server 2008
• Windows Server 2008 Service Pack 2 (SP2)

For more information about how to obtain a Windows Vista service pack, click the following article number to view the article in the Microsoft Knowledge Base: For more information about how to obtain a Windows Server 2008 service pack, click the following article number to view the article in the Microsoft Knowledge Base:

Registry information

To use the hotfix in this package, you do not have to make any changes to the registry.

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

File information

The global version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.

Windows Server 2008 and Windows Vista file information notes

Important Windows Vista hotfixes and Windows Server 2008 hotfixes are included in the same packages. However, only "Windows Vista" is listed on the Hotfix Request page. To request the hotfix package that applies to one or both operating systems, select the hotfix that is listed under "Windows Vista" on the page. Always refer to the "Applies To" section in articles to determine the actual operating system that each hotfix applies to.

• The files that apply to a specific product, SR_Level (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.

  Version	Product	SR_Level	Service branch
  6.0.600 1 . 22xxx	Windows Vista and Windows Server 2008	SP1	LDR
  6.0.600 2 . 22xxx	Windows Vista and Windows Server 2008	SP2	LDR

• Service Pack 1 is integrated into the release version of Windows Server 2008. Therefore, RTM milestone files apply only to Windows Vista. RTM milestone files have a 6.0.0000.xxxxx version number.
• The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows Server 2008 and of Windows Vista" section. MUM files and MANIFEST files, and the associated security catalog (.cat) files, are extremely important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.

For all supported x86-based versions of Windows Server 2008 and of Windows Vista

For all supported x64-based versions of Windows Server 2008 and of Windows Vista

To work around this issue, enable DES in the domain and then force a password change on the affected computers. For steps on this, check the resolution section.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

Additional file information

Additional file information for Windows Server 2008 and of Windows Vista

Additional files for all supported x86-based versions of Windows Server 2008 and of Windows Vista

Additional files for all supported x64-based versions of Windows Server 2008 and of Windows Vista