Our honest evaluation

As IT security consultants, we see every day how complex Active Directory environments can become. Windows Server 2025 as a domain controller sounds like progress, but in mixed environments it can become a risk that should not be underestimated. Our clear opinion: anyone who makes a rash change now risks critical failures.

Even though Microsoft has not yet issued an official warning, community reports and customer cases show that the risks are real and should be taken seriously.

Why Server 2025 is problematic in mixed ADs

The core problem arises in mixed environments, i.e., when Server 2025 DCs are operated together with older DCs such as Server 2019 or 2022. The changeover brings changes to Kerberos, stricter requirements for password changes, and deactivated old encryption methods (RC4, DES).

The result: machine accounts can no longer automatically reset their passwords. This leads to sporadic login failures. This is a risk that can quickly become critical in production environments.

The critical bug: machine passwords fail

Reports from blogs such as Borns IT- and Windows-Blog (27.09.2025) show:

• • Machine accounts cannot reset their passwords.
  • Login problems occur about a month after the DC is deployed, coinciding with the standard 30-day interval for machine password changes.
  • The problem is closely related to the handling of outdated encryption types.

Administrators should check Event ID 14 in the Kerberos Key Distribution Center log on the DCs. It shows which machines are affected.

Emergency measures: How to save the environment

If you are already affected, you should act immediately:

1. 1. 1. Shut down all Windows Server 2025 DCs: this prevents further incorrect password changes.
      2. Manually reset the computer passwords: via a stable older DC (e.g., Server 2022).
      3. Double reset: Since Windows stores two passwords (current and previous), a second reset is recommended to completely remove the incorrect password.

PowerShell example

# Manually reset passwords for affected machines
Reset-ComputerMachinePassword -Server <old_DC> -Credential <Admin>

The dilemma: More than just a domain controller problem

The problem with machine passwords is just the tip of the iceberg. Server 2025 brings further challenges:

• • Schema master role: If this is located on a Windows Server 2025 DC, AD schema extensions may fail – which is critical for Exchange, for example (see AD schema extension issue if you use a Windows Server 2025 schema master role). The cause is that the schema master can generate duplicate attribute values, resulting in a schema mismatch. As a result, AD replication fails (error 8418, warning 1203), and Exchange installations or upgrades are blocked.

• • AD synchronization issue: After installing the September updates (KB5065426 or later) on Windows Server 2025, synchronization of large AD security groups (>10,000 members) via Microsoft Entra Connect may fail (see Microsoft bestätigt AD-Probleme nach September-Update). The cause is an error in DirSync Control, which leads to incomplete synchronization. Only Server 2025 systems with the update installed are affected.
  • No half measures: We at Teal suspect that Microsoft will recommend migrating all DCs to 2025 at the same time in the long term – with new problems and high costs.
  • Kerberos restructuring: Microsoft is working hard on the Kerberos architecture to make it future-proof, including post-quantum security. Old protocols such as RC4 and DES are no longer supported.

Strategic preparation for the future

Anyone planning to migrate to Server 2025 should be prepared:

• • Audit the environment: Check for RC4, DES, and NTLM and eliminate them.
  • Plan for a short transition period: Long transitions between old and new DCs increase the risk.
  • Do your homework: Harden legacy systems, check critical applications, and ensure that they support modern encryption.

Conclusion: Act now, but act wisely

The desire to migrate to the latest server version is understandable, especially given the end of support for Server 2016. Nevertheless:

• • No uncontrolled migration: Wait for official fixes.
  • Preparation is everything: Audit the environment and eliminate old protocols.
  • Fast but safe: When switching to Server 2025, have a short mixed phase and a clear plan for all DCs.
  • Pragmatic intermediate step: Consider migrating to Windows Server 2022 for now to ensure stability and support until known issues with Server 2025 are resolved.

Those who act wisely now can secure their AD environment and avoid costly downtime later on. Those who ignore it risk critical production problems, and nobody wants that.

Further information:

• • No official announcement from Microsoft yet
  • Not the only problem that has occurred with Windows Server 2025 as DC
    • Active Directory schema extension issue if you use a Windows Server 2025 schema master role | Microsoft Community Hub (Exchange SE)
    • Microsoft: Sept Windows Server updates cause Active Directory issues (Entra ID Connect Problem)