Hello. I am working on a single DC root forest domain with another single DC domain in the same forest. I was trying to force a kerberos tickets to a third party app to use AES256 on the root domain via the group policies set here:https://blogs.msdn.microsoft.com/openspecification/2011/05/30/windows-configurations-for-kerberos-supported-encryption-type/ . I was also using the computer account settings from that article.
Something seems to have gone wrong and on the root domain DC, DNS could no longer connect to AD with event ID 4000 registered in event logs. I also found replication between the root domain DC and the other domain's DC was no longer working.
Running repadmin /syncall from the child domain DC I get 'Replication access was denied.' . In a network trace I inspect the kerberos traffic and see this:
TGS-REQ
In the response I get this:
I have removed all the group policy settings for kerberos encryption types and rebooted both DCs several times as well as run gpupdate. I've also manually gone into the computer account for the forest root domain server and noticed that it is only set to allow AES128 for some reason, and when I set it to allow RC4/AES128/AES256 (0x1c), it ends up reverting eventually. This might be because gpupdate is failing on the root domain computer and never taking away the disabled kerberos encryption policy I created.
Is there a setting some where that is overriding the encryption for the kerberos tickets from kdc? I've tried about everything I can find online, resetting computer account passwords, verifying DNS resolves (long story getting that in a functional order), etc. Very stuck on this, don't really want to have to recreate both domains.