event id 37 KDC on windows server 2019 domain controller

Question

Hi,

I am upgrading my Active Directory domain from Windows Server 2008 R2 to Windows 2019, after adding the new domain controller running on Windows Server 2019 some erros with ID 37 - KDC started showing on event viewer.

I found some KBs that might help (KB5008602, KB5005112, KB5008380, and KB5021655), but they were released on different months, I do not know if I just need to installed the latest KB or if I need to install all of them.

Besides the KB, do I need to apply/configure something else?

What about my windows clients?

Thanks in advance.

Answer 1

Shouldn't need to worry about it. Patch all the domain controllers as first step. Then each user will get the new improved authentication information PACs of Kerberos Ticket-Granting Tickets. (TGT) described in the KB below

Then you may get one warning for every user.

https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
Adds the new PAC to users who authenticated using an Active Directory domain controller that has the November 9, 2021 or later updates installed. When authenticating, if the user has the new PAC, the PAC is validated.

the PacRequestorEnforcement registry value's only function is to allow you to transition to the Enforcement phase early. Otherwise not needed.

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 2

So basically I just have to install KB5008602.

Does PacRequestorEnforcement has to keep the default value?