To improve Windows Server I suggest you ...

Windows Server 2016 - A directory service error has occurred - (80072095)

Here's an odd one.

Promote Windows Server 2016 to a domain controller.

Using Group Policy Management, edit the Default Domain Controllers Policy as follows:

Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - Security Options - Network security: Configure encryption types allowed for Kerberos

Choose
AES128_HMAC_SHA1
AES256_HMAC_SHA1
Future encryption types

Restart your domain controller.

Using Group Policy Management, edit the Default Domain Controllers Policy as follows:

Computer Configuration - Policies - Windows Settings - Security Settings

Notice that an IP Security Policy Management error appears.

A directory service error has occurred - (80072095)

Also notice that no "IP Security Policies" can be created, under "Security Settings".

This must be a bug, right?

If you add RC4_HMAC_MD5 as a Kerberos encryption type, the error goes away and everything works.

Using MD5 is not recommended, of course, so bascially you can't define Kerberos encryption types?

Thank you.

1 vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Lance Simmons shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    1 comment

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Lance Simmons commented  ·   ·  Flag as inappropriate

        Further testing has revealed a better workaround:

        The IPsec error only appears if you're logged in using the built-in Administrator account.

        Simply create a named account which is a member of Domain Admins, etc.

        No changes to Kerberos Encryption settings are necessary.

        This still appears to be a bug.

      Feedback and Knowledge Base