We have a single forest consisting of two domains (placeholder root and one child) and all domain controllers are either Windows Server 2008 or 2008 R2. The Domain and Forest Functional Levels were recently upgraded using the (MMC/GUI method) from Windows 2000 to Windows 2008 which went fine except for one small problem.
At the time of the upgrade, one 2008 R2 DC was isolated on the network and was only brought back today. Now it is unable to replicate with any other DC and shows the following error message:
DsReplicaSync() failed with status -2146892990 (0x80090342):
The encryption type requested is not supported by the KDC.
I have read some articles that suggest this can happen following an incorrectly replicated FFL/DFL change. This is further supported by the fact that when I run LDP on the problematic DC it reports domainFunctionality: 0 = ( WIN2000 ); and forestFunctionality: 0 = ( WIN2000 ); while every other DC in the forest reports domainFunctionality: 3 = ( WIN2008 ); and forestFunctionality: 3 = ( WIN2008 ); in other words it hasn't replicated in the FFL/DFL changes and I suspect some default encryption setting between the two functional levels is the root of the problem(?).
My question is - is it safe to use ADSIEdit on the problematic DC to manually change the relevant msds-behavior-version attributes for the forest & domain to a value of '3' to match all the other DCs? Or is there some other way to fix this? Note, I have tried stopping and restarting the Kerberos Key Distribution Center service on the problematic DC as suggested in another thread, but this hasn't made any difference.
Many thanks in advance.