This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 39%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDX%3C/text%3E%3C/svg%3E)
There is a primary domain controller in the environment, Windows Server 2008R2, and a secondary domain controller, Windows Server 2016. Now I have purchased a Windows Server 2022 system server and plan to upgrade it to the primary domain controller. But I found that there are two errors that appear frequently in the system log of Windows Server 2016:
1)、The Kerberos Key Issuance Center is missing account krbtgt.
The password for this account must be updated to prevent the use of insecure encryption.
See https://go.microsoft.com/fwlink/?linkid=2215265
2)、The Key Issuance Center (KDC), while processing another ticket request, encountered a ticket that did not contain the account information for which the ticket was requested. This prevents security checks from running and may open security holes. See https://go.microsoft.com/fwlink/?linkid=2173051 for more information
I looked at it and it said that I need to install an update and then modify the key value in the registry.
But I downloaded the update ((KB5008601)) to Windows Server 2016, but it prompted me that I could not install it. Other updates also prompted that they were expired and could not be downloaded. I could not find the required value (PacRequestorEnforcement) in the registry.
Here are the previously installed updates:
I would like to ask how to solve these two errors. Thank you very much.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi @Dongdong Xu
Please start by checking Active Directory health by running the following commands:
repadmin /showrepl
dcdiag
Did you try to reset krbtgt password?
Regarding PacRequestorEnforcement please read the link below
Please don’t forget to accept helpful answer
if the registry. PacRequestorEnforcement doesn’t exist you can create it
I invite you to take a look at this KB:
Please don’t forget to accept helpful answer.
Hello, thank you for your answer. Of the two tests above, the first one has no errors, and the second one has errors.
I want to install updates for windows server2008 r2, but I found that there are only sp1 and sp2 options, and my system is server2008r2 standard
I would like to ask if there is an update suitable for my system.
Windows 2008r2 is not supported by Microsoft, that’s why you cannot find a update published by Microsoft for this version.
I think it’s time to demote this domain controller and replace it by version Windows 2016 or higher to avoid facing this kind of issue.
Please don’t forget to accept helpful answer
hi ,
Thanks, I am preparing to migrate the main domain controller to the windows server2022 system, but now I have this error, I can't continue, I have to solve this error. Please tell me if I can upgrade my windows server2008R2 to SP1. If so, can you give me a download link for the SP1 patch? I looked for it but couldn’t find it. Thank you very much.
You can try downloading from this links
https://www.catalog.update.microsoft.com/Search.aspx?q=KB976932
Please don’t forget to accept helpful answer
Because I am worried that there will be problems with the domain environment, I cannot upgrade to sp1. Thank you. Is there any other solution to this problem?
Did you try to move all FSMO role to Windows 2016 then metadata cleanup to remove domain controller under Windows 2008 R2 ?
One done you can promote a domain controller windows 2022 if the domain and forest functional level is Windows 2008 R2 ad the System replication for sysvol foler is DFS-R .
Please don’t forget to accept helpful answer
Thank you for your reply. My current transmission method is frs, so I want to resolve these errors before converting to dfs-r, because I am worried that these errors will affect the conversion. Do you mean that these two errors will not affect the role migration, but will they affect the system replication method?
It should not affect the migration if you demote domain controller Windows 2008 R2 using metadacleaup meathod and then you migrate DFS-R for sysvol replication.
You should check the replication status and Aactive directory health using the following commadns :
dcdiag
repadmin /showrepl
Don't forget to backup all your domain controllers beforeany action to be able to restore the service n case of issue.
Please don't forget to accept helpful answer
Thanks for your help, I'll try it.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
This one could help.
As to KB5008601 this is the November 14, 2021(OS Build 14393.4771) Out-of-band update and would not apply if the current build is a higher level which you can check.
winver
--please don't forget to close up the thread here by marking answer if the reply is helpful--
Just checking if there's any progress or updates?
--please don't forget to close up the thread here by marking answer if the reply is helpful--
抱歉,我按照你的教程重置krctgt密码,但又出现问题了
我在主域控windows server2008R2中,运行1没有问题,但运行2时,出现 错误,
在辅助域控中windows2016k中,运行1就有错误
但我在测试repadmin /replsummary ,repadmin /showrepl,一切都正常,很奇怪 ,感谢你的回答
对了,我看有人说是语言的问题,我的两个操作系统都是简体中文件版,不知道是不是这个原因