Share via

Server 2025 Domain Controllers - Trust relationship issues on workstations after 30 days as "pwdLastSet" value unable to be updated

Anonymous
2025-01-03T12:18:07+00:00

Hi

We have 4 Domain controllers upgraded to server 2025 and about 30+ still on 2022. The newly upgraded servers appear to have a bug where by any workstations going through them are unable to update their "pwdLastSet" value and so after the 30 day limit on that field is hit they then fall into a trust relationship issue with the domain. Is this a known bug of server 2025? Are there any known fixes for this issue?

Windows for business | Windows Server | Directory services | Active Directory

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

54 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-02-25T06:35:35+00:00

    Hello Erin Teu

    We have the same exact problem after updating our DC's to 2025. The Problem can be seen on Windows 10 22H2 PC's as well. Besides the machine password expiration issue, we ran into a problem where our two Cisco radius servers are no longer able to succesfully negotiate with 2025 DC's.

    Cisco Support has identified the problem and it points down to a Microsoft kerberos bug. See the reply from Cisco Support below.

    Hello, Team

    I hope you are doing well today!

    My name is Abdullah Lodhi and I am with Cisco Systems AAA team and I will be working on your case SR 698715209.

    I have gone through the case notes and I am looking into this issue. So this bug is for Windows Server when it is 2025 the integration with ISE is failing due to a microsoft check. It has been traced back to the krb5 library in the ADRT in the gmt_mktime.c file in the krb5int_gmt_mktime function. In it, there is an explicit check to see if the received timestamp is after the year 2038 and if so, the assert fails and returns -1. The function is called by the asn1_decode_generaltime function in the asn1_decode.c file which then returns the LW_ERROR_KRB5_ASN1_BAD_TIMEFORMAT error.

    This flow is triggered by the first TGT obtaining during kerberos. In the AS-REP, AD 2025 sends a default expiry time of year 2100 (expiry time of the session key that is used to encrypt the traffic between the client and the KDC) and when processing this response the ADRT eventually gets to parsing the expiry date and throws the LW_ERROR_KRB5_ASN1_BAD_TIMEFORMAT error.

    As from our side the only workaround is to revert back to 2022 Windows AD as there is no fix from Cisco as the issue is on Microsoft Side and we are pending a fix from them. Please let me know if you have any questions in regards to the bug, if not please let me know if we can proceed with case closure.

    Thank you,

    Until Microsoft releases a fix to our problem, i will set the password expiration date in the meantime to infinit.

    Best regards

    Christian

    3 people found this answer helpful.
    0 comments
  2. Anonymous
    2025-02-12T06:45:55+00:00

    No fix in Update 2025-02.

    3 people found this answer helpful.
    0 comments
  3. Anonymous
    2025-02-13T13:36:37+00:00

    We had a laptop with a domain trust issue, and we managed to resolve it. We upgraded the laptop to version 24H2 and performed a force renew using the following command:

    Reset-ComputerMachinePassword -Server "Server-dc" -Credential domain\"admin account"

    After running this command, we were able to log in to the domain without any issues. To prevent further problems, we have disabled the machine account password change through a GPO.

    Moving forward, we have two options: either Microsoft will address the issue, or we will upgrade all workstations to version 24H2, as we have already started the upgrade process.

    2 people found this answer helpful.
    0 comments
  4. Anonymous
    2025-01-03T13:38:04+00:00

    Hi Daisy

    We have 4 2025 DC's now and 30+ 2022 DC's. Below are responses to your points.

    1. I have reviewed event logs which is what makes me believe there is a bug with server 2025 in the way it is attempting to change passwords of computer objects, to me it looks like the kerberos process is broken and so the DC and workstation go out of sync with each others passwords held.
    2. All workstations have latest patches and are on windows 11 23h2. Servers are on latest cumulative patches for server 2025.
    3. AD replication is fine. Tests you suggested confirm this.
    4. Group policy settings are no different from server 2022 to 2025 so this should not be the cause unless server 2025 is behaving incorrectly or in a way contrary to AD defaults, if you can specify any specific settings i can look at them as i am testing a few different changes to see if there is any effect but have not seen anything work as of yet.
    5. Time is up to date and in sync with AD.
    6. There is no difference on workstation configuration pre or post server upgrades to 2025 so unless you can specify what config needs changing i am not aware of anything that would cause this issue within our policies when i looked through them.

    This feels like a bigger bug, which may not hit all networks but i've seen forums posts about this issue and so its definitely hitting at least a subset of Active Directory infrastructures.

    Are there no current bugs etc linked to server 2025 domain controllers that relate to this issue?

    Best Regards

    Erin

    Hello Erin Teu,

    Thank you for posting in Microsoft Community forum.

    Do you have one Windows server 2022 Domain Controller and four Windows server 2025 Domain Controllers, am I right?

    Here is some general advice on troubleshooting your issue.

    1. Review Event Logs:

    Check the event logs on the domain controllers and affected workstations for any error messages or warnings related to password updates and trust relationships. This can provide more insight into what's causing the issue.

    1. Apply Updates and Patches:

    Make sure all servers, especially the ones running 2025, are fully updated with the latest patches and updates. Sometimes, bugs are fixed in subsequent patches.

    1. Verify AD Replication:

    Confirm that Active Directory replication is functioning correctly between all domain controllers. Issues with replication can sometimes cause problems with attribute updates like pwdLastSet.

    Please run commands below on PDC. If there is no error of the command result, it seems AD replication works fine.

    repadmin /showrepl >C:\rep1.txt
    repadmin /replsum >C:\rep2.txt

    repadmin /showrepl * /csv >c:\repsum.csv

    1. Group Policy Settings:

    Review your Group Policy settings to ensure there are no policies that might be affecting the ability of workstations to update their passwords.

    1. Check Time Synchronization:

    Ensure all domain controllers and workstations are synchronized to the same time source. Time discrepancies can cause various issues in a domain environment, including problems with password updates and trust relationships.

    1. Workstation Configuration:

    Confirm that the workstations are correctly configured to communicate with the updated domain controllers.

    Tips:

    I am sorry, I do not have Windows server 2025 in my lab. I suggest you can try to set up only one 2025 Windows server Domain Controller in one single domain in one forest. Then check if there is such problem.

     

    I hope the information above is helpful.

     

    If you have any question or concern, please feel free to let us know.

     

    Best Regards,

    Daisy Zhou

    0 comments
  5. Anonymous
    2025-01-03T12:49:42+00:00

    Hello Erin Teu,

    Thank you for posting in Microsoft Community forum.

    Do you have one Windows server 2022 Domain Controller and four Windows server 2025 Domain Controllers, am I right?

    Here is some general advice on troubleshooting your issue.

    1. Review Event Logs:

    Check the event logs on the domain controllers and affected workstations for any error messages or warnings related to password updates and trust relationships. This can provide more insight into what's causing the issue.

    1. Apply Updates and Patches:

    Make sure all servers, especially the ones running 2025, are fully updated with the latest patches and updates. Sometimes, bugs are fixed in subsequent patches.

    1. Verify AD Replication:

    Confirm that Active Directory replication is functioning correctly between all domain controllers. Issues with replication can sometimes cause problems with attribute updates like pwdLastSet.

    Please run commands below on PDC. If there is no error of the command result, it seems AD replication works fine.

    repadmin /showrepl >C:\rep1.txt
    repadmin /replsum >C:\rep2.txt

    repadmin /showrepl * /csv >c:\repsum.csv

    1. Group Policy Settings:

    Review your Group Policy settings to ensure there are no policies that might be affecting the ability of workstations to update their passwords.

    1. Check Time Synchronization:

    Ensure all domain controllers and workstations are synchronized to the same time source. Time discrepancies can cause various issues in a domain environment, including problems with password updates and trust relationships.

    1. Workstation Configuration:

    Confirm that the workstations are correctly configured to communicate with the updated domain controllers.

    Tips:

    I am sorry, I do not have Windows server 2025 in my lab. I suggest you can try to set up only one 2025 Windows server Domain Controller in one single domain in one forest. Then check if there is such problem.

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    0 comments