Hello, gents! We’re faced with weird issues after domain level has been raised from 2003 to 2012 R2.
In fact, we found that password of "krbtgt" account hasn't been changed during the process as supposed to be to support AES encryption. Furthermore, we found a couple more issues.
The main issue is - "Session Key Type" of "PRIMARY" (Cache Flag: 0x1) "krbtgt" Kerberos ticket is "RC4-HMAC", but "KerbTicket Encryption Type" is "AES-256-CTS-HMAC-SHA1-96". At the same time, for other Kerberos tickets both "Session Key Type" and "KerbTicket Encryption Type" are "AES-256-CTS-HMAC-SHA1-96". All domain controllers are running Windows Sever 2016 now