I have a case open with Microsoft. This should become an officially acknowledged issue shortly - it isn't yet.
Basically, in a mixed DC environment, Kerberos will stop working completely (against older DC's) for accounts as they change passwords in a "specific fashion". See below.
It can affect any account - computer, user, domain controller machine account, doesn't matter - probably even krbtgt, in which case your AD would break completely in epic fashion. gMSA's are affected too and are unfixable other than by deleting and recreating them.
Computer accounts are just the first to break since they change passwords every 30 days by default. And, as you discovered, they can "fix themselves" through manual actions. For standard users, Kerberos is the only protocol available for password changes, so when Kerberos breaks, user accounts will be effectively broken and can't be fixed other than through admin-initiated password resets.
Also, computer accounts can be fixed without needing any credentials by using nltest /sc_change_pwd:domain.name.
--
Does anyone know how to fix this? Upgrading the 2022 DC’s is not an option and I cannot remove the 2025 DCs either.
Then, my brother in administration, you might just be fucked.
There is no fix (currently; to my knowledge), other than reverting to all-2022 DC's and resetting all passwords in the domain to be sure or going all-2025 DC's in which case you won't encounter the issue.
Even if you revert to all-2022 now, accounts might be stealth-broken and will break on the next password change. So a password reset for every account is required.
--
DefaultDomainSupportedEncTypes
This also isn't working as documented for Server 2025 - the key needs to be set at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters in order to take effect.
Note: as said, this is currently undocumented.
You could try playing around with this to see if it makes a difference.
--
Anyway, here's
(Réponse tronquée)
