PSA: Don't upgrade your Windows DCs to 2025 yet | NetApp | Page 1

full grove Jan 10, 2025, 12:58 AM

#

ONTAP can't join a 2025 DC or change the machine account PW. It will break your CIFS setup. Error is KRB5KRB_AP_ERR_MODIFIED
The issue is under investigation (CONTAP-347583)

We hit this in our lab and it took us a while 😄

If you have already upgraded some of your DCs, set the Preferred DC in ONTAP to a 2022 one

cloud aurora Jan 10, 2025, 1:05 AM

#

Look at some of these changes.

#

https://learn.microsoft.com/en-us/windows-server/get-started/whats-new-windows-server-2025

What's new in Windows Server 2025

Learn about the features and enhancements in Windows Server 2025 that help to improve security, performance, and flexibility.

#

Have you enabled AES128 and AES256 Kerberos encryption types? https://docs.netapp.com/us-en/ontap/smb-admin/enable-disable-aes-encryption-kerberos-task.html

Enable or disable AES encryption for Kerberos-based communication

To take advantage of the strongest security with Kerberos-based communication, you can enable AES-256 and AES-128 encryption on the SMB server. If you do not...

full grove Jan 10, 2025, 1:26 AM

#

did you look at the NetApp Bug?

#

it's a bug. not a missing AES setting

#

also, from the link you posted:

AES encryption is enabled by default.

#

my guess is they use the wrong Samr method to change the password since the old ones are disabled by default. In the logs you can see that ONTAP creates the machine account but then fails to set the password.
There will probably a workaround posted soon, registry key change on the DC or GPO setting (the bug is from 3 days ago, so pretty new)...
It's not the first time ONTAP has been caught by surprise by Microsoft changes 😉

#

Again, I'm not posting this to ask for advice, so don't bother...
it is purely a PSA so that others don't run into that same issue

wicked prairie Jan 10, 2025, 12:36 PM

#

It was released on November 1 for general availability. ONTAP historically will catch-up in about 6 months

cloud aurora Jan 10, 2025, 4:41 PM

#

If the account joining the SVM is part of the protect users group, like a domain admin, You might look at this section in the original link:

#

Legacy Security Account Manager (SAM) remote procedure call (RPC) password change behavior: Secure protocols such as Kerberos are the preferred way to change domain user passwords. On DCs, the latest SAM RPC password change method SamrUnicodeChangePasswordUser4 by using Advanced Encryption Standard (AES) is accepted by default when it's called remotely. The following legacy SAM RPC methods are blocked by default when they're called remotely:

SamrChangePasswordUser
SamrOemChangePasswordUser2
SamrUnicodeChangePasswordUser2
For domain users that are members of the Protected Users group and for local accounts on domain member computers, all remote password changes through the legacy SAM RPC interface are blocked by default, including SamrUnicodeChangePasswordUser4.

To control this behavior, use the following GPO setting:

Computer Configuration > Administrative Templates > System > Security Account Manager > Configure SAM change password RPC methods policy

full grove Jan 10, 2025, 4:46 PM

#

the fact that this is not already written as workaround in the BURT tells me that there's probably more to it. But if you know more, please contact NetApp and help them fix it faster 😉

cloud aurora Jan 10, 2025, 5:00 PM

#

Here is another possible target:

#PSA: Don't upgrade your Windows DCs to 2025 yet