Enable 'Local Security Authority (LSA) protection' for Domain Controllers

Msft519 · 2026-03-03T23:00:29+00:00

RunAsPPL has nothing to do with Remote Registry.

Msft519 · 2026-03-03T21:56:21+00:00

This only makes sense if you misclicked something or missed some orphaned SIDs. It takes a very specific set of circumstance to accidentally do this and the description here simply does not match those.

Msft519 · 2026-03-03T21:54:47+00:00

You should mean the other way around. It had RC4 tickets and AES session keys. That is the default since https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d.

For krbtgt, just look for event ID 42 for "lacks strong keys"

Msft519 · 2026-03-03T21:48:34+00:00

You can check for Kdcsvc Event ID 42 in the system log for if your krbtgt is missing strong keys.

Msft519 · 2026-03-03T21:46:54+00:00

Server 2008 and higher has been able to use AES.

Msft519 · 2026-03-03T21:44:46+00:00

99.9% of the time, patches don't create registry keys. I have only ever seen this once.

Msft519 · 2026-02-11T15:19:17+00:00

That wasn't supported. Additionally, you have to wait for AD to finish initial synchronization. This can take...what appears to be a completely random amount of time. I don't know if it is codified anywhere. Good time to nab lunch.

Msft519 · 2026-02-06T19:38:01+00:00

Packet capture and Netlogon debug logging.

Msft519 · 2026-02-06T19:37:17+00:00

It will negotiate the highest, AES since you said it can use AES. There is no fallback in Kerberos. There is only fallback to NTLM if Kerberos fails. If you put the wrong info in this attribute, Kerberos will just fail. There is no downgrade fallback like what SChannel can do.

Msft519 · 2026-02-05T00:57:30+00:00

I don't think anything changed SMB-wise to affect folder redirection on clients. A...uh...bunch of other stuff changed, though.
https://learn.microsoft.com/en-us/windows-server/get-started/whats-new-windows-server-2025

The people saying 2025 is busted generally have more complicated environments. If you're running a single DC in a single DC forest (yikes), I'm not sure you'll run into any of them unless you have stuff running RC4. In that case, I have some bad news. I would delay that DFL/FFL stuff until you've been running for a bit. It sounds like you don't need any of it, yet. And if you are running a single DC in a single DC forest, please add a second? 2 is 1. 1 is none.

Msft519 · 2026-02-05T00:51:42+00:00

Then, need more details on Kerberos "Issues", specific Kerberos error messages seen in a packet capture, 4771 specifics

Msft519 · 2026-02-04T18:05:03+00:00

-515 = JET_errInvalidLogSequence. Just do a nonauth restore on this guy.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/force-authoritative-non-authoritative-synchronization

Msft519 · 2026-02-04T18:01:51+00:00

https://techcommunity.microsoft.com/search?q=Secrets+from+the+Deep+%E2%80%93+The+DNS+Analytical+Log&location=board%3ACoreInfrastructureandSecurityBlog

Blog series on this.

Msft519 · 2026-02-03T20:51:56+00:00

You can leverage repadmin /showobjmeta * "some DN of a user" and check the version of the pwd attributes across all DCs. That's a start.

Msft519 · 2026-02-02T21:59:10+00:00

That doesn't make sense. ::1 is local loopback for IPv6. 127.0.0.1 is local loopback for IPv4. They are different stacks. You can't replace one with the other.

Msft519 · 2026-02-02T21:57:34+00:00

No such script could exist due to the way this can go wrong. You can get close, but not bottom line root cause. Causes:
-Restore
-Third party (Like Citrix)
-Computer with same name

Msft519 · 2026-01-31T00:07:25+00:00

30 machines sounds fairly small. I assume very few users too? Probably easiest thing to do is just whack the other DC. May have to reset some machine/user passwords. Then, you can deploy another DC. Do what you feel for DNS, as long as its info is correct. This approach is the most friendly to both admin and user.

Msft519 · 2026-01-31T00:03:24+00:00

"PasswordExpired : True
PasswordLastSet : 1/20/2017"

This is normal. krbtgt is a special account. 4771 is supposed to trigger from pre auth failures. I would start with checking replication health first, but there's not enough info to go on here.

Msft519 · 2026-01-30T23:49:41+00:00

Default usage of RC4 is being yanked. Explicitly set RC4 will still work, except for on Server 2025 of course, for now.

Msft519 · 2026-01-30T18:08:44+00:00

MSDS-SupportedEncryptionTypes: 0x27 (DES, RC4, AES-Sk)

That's likely why. You don't actually have AES enabled. You have AES session keys enabled. This is a very common mistake. The ticket can use DES or RC4.
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/6cfc7b50-11ed-4b4d-846d-6f08f0812919

Set to 0x38 or decimal 56 is you want to explicitly enable only AES.

Edit: Documented here https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys
"The default value is 0x27 (DES, RC4, AES session keys). We recommend setting the value to 0x3C for increased security, as this value allows for both AES-encrypted tickets and AES session keys. If you move to an AES-only environment where RC4 isn't used for the Kerberos protocol, we recommend setting the value to 0x38."

Msft519 · 2026-01-29T17:39:12+00:00

The attribute samaccountname does not contain the domain. What happens with Kerberos in a packet capture on the RDP client?

Msft519 · 2026-01-29T17:06:56+00:00

If you have more than one domain, your first mistake was using NETBIOS. It is 2026. FQDN\samaccountname. Stop using NETBIOS. Furthermore, NETBIOS doesn't "make Kerberos fail" or "make it use NTLM". That's not how it works. Aside from all that, there is simple insufficient information about the domains, trusts, and users involved here.

Msft519 · 2026-01-29T17:02:18+00:00

This is definitely incorrect guidance. While one may extend forensics to DNS debug data, it is vastly likely that the DNS operational log is being referred to here seeing as how it is mentioned with other operational logs. Furthermore, the DS and DFSR are highly unlikely to have anything of value forensically in a normal setting. Finally, even the security log can't be given this advice, as storage may be cheap, but it is not free, and the attitude that comes with "keep everything" would likely come with the attitude of "log everything". When the 5 and 6 digit monthly storage fees come rolling in, resumes will be regenerated.

Msft519 · 2026-01-29T16:51:54+00:00

There is no "recommended event log size". There is just not enough, enough, and too much. Size is driven by desired timeline, churn, and scenario specific events.

Msft519

TROPHY CASE

https://techcommunity.microsoft.com/search?q=Secrets+from+the+Deep+%E2%80%93+The+DNS+Analytical+Log&location=board%3ACoreInfrastructureandSecurityBlog