Windows Server 2025 has gotten off to a rocky start with some features you definitely don’t want in your environment. Especially not when using it for a domain controller.
The first one “Logon might fail with Windows Hello in Key Trust mode and log Kerberos Events” just caused a lot of noise in the event log after the April update, unless you had the AllowNtAuthPolicyBypass registry key set to enforce the requirement that certificates are chained to an issuing certificate authority in the NTAuth store.
The second one “Domain Controllers Manage Network Traffic Incorrectly After Restarting” caused a lot more havoc. Anytime a 2025 domain controller was rebooted, the firewall profile would be set to Public causing all kinds of issues with domain services.
While both the issues are noted as fixed in the June update KB5060842, you may still have broken member servers in your environment if they attempted to change their computer account password against a 2025 DC pre-patch. You can find these by filtering on Event ID 16 in the System log on your DCs and looking at the error message:
While processing a TGS request for the target server YourServerName$, the account YourServerName$@YourDomain did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 9). The requested etypes were 18 17 23 3 1. The accounts available etypes were 23. Changing or resetting the password of YourServerName$ will generate a proper key.
The symptoms on the member server side would be a policy error when attempting to RDP to an affected server, Group Policy failing to apply, and the Windows Firewall using the Private or Public profile rather than the Domain Profile. All the usual symptoms of a lost trust relationship.
To fix it, log into the affected server and issue the following command:
reset-computermachinepassword -server DCName -credential youradmincredentials
If the firewall is still showing Private or Public go to the NIC settings and disable and then re-enable it.
Hopefully this will be the last of the big bugs in Windows Server 2025. It definitely reinforces the idea that it’s good to let a new OS “bake” for a while before using it in production.