For a while, Microsoft’s KnowledgeBase article 976424, titled Error code when the kpasswd protocol fails after you perform an authoritative restore: “KDC_ERROR_S_PRINCIPAL_UNKNOWN”, has been available to solve issues with unexpected behavior after authoritatively restoring the krbtg account on Windows Server 2008 and Windows Server 2008 R2-based Domain Controllers.
Now, in KnowledgeBase article 2784261, titled Recommended hotfixes and updates for Windows Server 2012-based Failover Clusters, Microsoft recommends the hotfix for Windows Server 2012-based Failover Clusters, quoting:
Install on every domain controller running Windows Server 2008 Service Pack 2 or Windows Server 2008 R2 in order to add a Windows Server 2012 failover cluster. Otherwise Create Cluster may fail when attempting to set the password for the cluster computer object with error message: CreateClusterNameCOIfNotExists (6783): Unable to set password on <ClusterName$>
These days, most fail-over clusters are deployed to provide a robust, scalable and highly-available virtualization platform using Hyper-V. If you plan a Windows Server 2012-based Fail-over Cluster in your environment running Windows Server 2008 or Windows Server 2008 R2-based Domain Controllers, apply this hotfix during the next service window.
Domain Controllers need to restart to apply this hotfix.
Related KnowledgeBase articles
Error code when the kpasswd protocol fails after you perform an authoritative restore: “KDC_ERROR_S_PRINCIPAL_UNKNOWN”
The kpasswd protocol fails with a KDC_ERR_S_PRINCIPAL_UNKNOWN error after you perform an authoritative restore on the krbtgt account in a Windows Server 2008 domain
Recommended hotfixes and updates for Windows Server 2012-based Failover Clusters
Robert Smit, a Dutch Microsoft MVP on Fail-over Clustering and my friend, pointed this out to me on twitter this morning.