Posted by: Ian | June 7, 2012

KDC Authentication problems with 2003 to 2008 domain functional level

Recently a client raised their functional level to 2008 from 2003. I’ve rarely seen issues doing this as generally it just adds new features. However this time there were problems.

The client had Exchange 2010 (Latest SP) with multiple DAGs. Periodically the server holding the active databases would unmount and not failover to another DAG member.

Checking through the logs the server was complaining of not being able to communicate with any Active Directory Domain controller with numerous event IDs: 2102, 2103, 2114, 9106.

Restarting the Exchange services worked as a quick fix but would die later on in the day.

Well it turns out that there does appear to be an issue upping the forest functional level with a blog from another person experiencing similar issues –

To fix the issue fully the KERBEROS DISTRIBUTION KEY (KDC) service needed to be restarted on all domain controllers. In this clients case a reboot of the DC was done for good measure.

This resolved the issue.

At the time of writing there appears to be no technet article identifying this as an issue.


  1. Thanks for finally writing about >KDC Authentication problems with 2003 to
    2008 domain functional level | Ian’s Blog <Liked it!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: