[German]Today, another post for domain controller administrators. If anyone is thinking about adding a Windows Server 2025 as a domain controller (DC) in a mixed environment, don't do it. Adding the new Windows Server 2025 DC to an existing structure with old Windows Server DCs causes massive problems. The machine password cannot be changed and domain logins fail sporadically. This is a bug in Windows Server 2025 that has not been publicly confirmed, but the Microsoft product group is working on fixing it.
A reader's tip: "The roof is on fire!"
It was a private message from German blog reader Andy Wendel on Facebook (thanks for that). Andy wrote: "There is a massive problem in mixed environments when a new DC2025 is added: the roof is on fire!" If I understand correctly, there are massive issues with the configuration among his customers. If anyone is thinking of adding a Windows Server 2025 as a domain controller (DC) in a mixed environment, don't do it. Adding the new Windows Server 2025 DC to an existing structure with old Windows Server DCs causes massive problems. The machine password cannot be changed and domain logins fail sporadically. It is a bug in Windows Server 2025 that has not been publicly confirmed, but the Microsoft product group is working on fixing it.
It just rang a bell in the back of my mind that a few hours ago, in a different context, I had casually noticed the above tweet, which addresses problems with RC4 encryption in Windows Server 2025 and Windows 11 24H2.
Windows Server 2025 DC causes problems in mixed environments
In his private message, Andy Wendel hpointed me to the reddit.com thread RC4 issues, that's now 3 months old (from May or June 2025). The thread starter describes his situation:
I am running a domain at 2016 functional level. Our DC's are 2022 and 2025 (we have 4). When we added the 2025 DC's, we start having random issues where our domain logins would randomly stop working on a given server.
Machine accounts cannot reset passwords
Since Windows Server 2025 was added as a domain controller in this domain, there has been nothing but trouble. The thread starter writes that domain logins suddenly stopped working on a specific server. There is no pattern; the failures occur randomly on different servers.
The person affected then wrote that it had turned out that the machine accounts could not reset their passwords. I immediately thought of my blog post Windows Server 2025 Domain Controller: Trust Relationship with Windows 11 is lost from January 2025.
The person affected then wrote that it had turned out that the machine accounts could not reset their passwords. I immediately thought of my blog post from January 2025.
Workaround: Manually reset machine account passwords
The thread starter states that the temporary solution is to log in to the problematic server as a local administrator and use the command:
specifying any DC and using "-credential" (get-credential). This allows you to log in as a domain administrator, which can be used to reset the machine password in the domain.
Disabling RC4 encryption: A path to disaster
According to the thread creator, further investigations revealed that the problem was caused by a GPO setting that disabled RC4 encryption on two of the domain controllers. Research by the affected party, involving Google and AI, revealed that a global disabling of RC4 as a value in
msDS-supportedencryptiontypes
should have resulted in the accounts no longer using RC4 encryption for authentication requests. However, attempting to enforce this crippled the entire domain. This could only be resolved with a "hair-raising" ADSI session, in which the GPO was repaired so that RC4 was allowed again. This was the only way to restore access to the domain.
Stuck in a mixed environment
The thread starter wrote that he could not upgrade the Windows Server 2022 domain controllers to Windows Server 2025 (that was not an option in his scenario). On the other hand, he could not remove the Windows Server 2025 machines that functioned as DCs either. He is now trapped in a lock-in.
In the reddit.com thread, another administrator posted on September 26, 2025 (when I wrote this article), reporting the same thing and confirming the behavior. He had the idea of preventing the machine accounts from changing their passwords.
Another administrator wrote that this was not a good idea because it would reduce network security and was, at best, a stopgap measure. He said that the only way he had been able to get out of this mess was by upgrading all domain controllers to Windows Server 2025. He wrote:
I ended up upgrading the DC's to be all 2025 (Apparently the 2025 Kerberos database changed in 2025 which is why the problem happened).
In the post, this administrator provides detailed instructions on how to perform the upgrade, especially when using VMs in Hyper-V environments, in order to avoid disaster. He writes that he just lost his job because of this mess, because he had no documentation on this configuration. A supposedly more experienced colleague told him that "this configuration happens automatically," which was not true. As a result, the company lost a day of production, which then led to his dismissal. However, upgrading all DCs to Windows Server 2025 solved the problem with resetting the machine account password.
Various posts in the thread still claim that this is all a bug. However, the bug has not been fixed and has not been publicly confirmed. Ten days ago, another poster noted that the error had been reported internally and that the product group was working on a fix. He receives weekly status updates, but Microsoft has not announced this as a "known issue" on the official Windows Server Release Health Status page.
So, for mixed DC environments, the current advice is: "Stay away from Windows Server 2025 as an additional DC," because it will cause problems.
Similar articles:
Windows Server 2025 Domain Controller: Trust Relationship with Windows 11 is lost
Windows Server 2025: Bug in the schema master role of the DC
Windows 11 24H2/Windows Server 2025 is not receiving updates from WSUS
Windows Server 2025: HPE ProLiant DL325 server drops IRQL_NOT_LESS_OR_EQUAL BSOD after July 2025 update
Windows Server 2025: Authentication Bypass with Golden dMSA
Windows 11 24H2/Windows Server 2025: VM hangs after July 2025 update; fix with OOB update KB5064489
ReFS file system: Fix for CPU/RAM utilization bug in Windows Server 2025 in August 2025?
Microsoft's unloved ReFS files system – CPU/RAM utilization bug in Windows Server 2025 unfixed
Windows Server 2025: Hotpatching need a subscription from July 1, 2025
Windows Server 2025: Domain Controller no longer accessible after restart
