From the field: The Case of Raising the DFL to make all fail-over clusters inaccessible

Reading Time: 2 minutes

From The Field

Troubleshooting stories from the field are the best. That’s why I like writing them down. Although, sometimes they might appear as straight cases of schadenfreude, I feel there are lessons to be learned for anyone, if you’re willing to look closely and listen carefully.

This week I experienced an issue at a customer, when they raised their Active Directory domain functional level beyond Windows Server 2012 R2.


The situation

The customer has an Active Directory Domain Services environment that dates back to 2004. It has been upgraded in the past. Its domain controllers have recently been upgraded to Windows Server 2016 and Windows Server 2019.

The company uses fail-over cluster to offer scale-out file servers. These implementations are based on Windows Server 2016.

Admins have placed many users in the Protected Users security group to prevent cached logons and restrict token lifetimes.

They raised the domain functional level (DFL) to Windows Server 2016.


The issue

All the fail-over clusters became inaccessible when connecting to the cluster name and current remote desktop connections were terminated when connected to the cluster name:

RemoteApp Disconnected - A user account restriction (for example, a time-of-day restriction) is preventing you from logging on. For assistance, contact your system administrator or technical support.

However, connections to the individual hostnames of the cluster nodes were successful.


The cause

When implementing the Windows Server 2016 DFL, the domain controller protections for the Protected Users security group kicked in, as these are unlocked with the Windows Server 2012 R2 DFL. The domain controller protections include the inability to authenticate using NTLM, the inability to encrypt Kerberos pre-authentication with DES or RC4 and the inability to cache Windows digest passwords.

When connecting to the fail-over cluster name NTLM is used, instead of Kerberos. Fail-over clusters use NTLM, unless they run Windows Server 2019, and up.


The solution

The admins at this company removed people that need access to the fail-over clusters out of the Protected Users security group, while they're upgrading their fail-over clusters to Windows Server 2019..


Further reading

Ten things you need to be aware of before using the Protected Users Group
New features in AD DS in Windows Server 2012 R2, Part 2: Protected Users
From the Field: The case of the unreachable forest on a domain-joined Azure AD Connect installation
From the Field: The case of the randomly rebooting Domain Controllers
From the field: The Case of the Unstable AD FS Farm

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.