Upgrading : Microsoft Dynamics CRM 8.1 on Windows Server 2012 R2

IMPORTANT: This article applies only if you’re running Windows Server 2012 R2 and Dynamics CRM 8.1.

This is a guide on how to upgrade Microsoft CRM from 8.1 to 8.2 and then upgrade the operating system from Server 2012 R2 to Server 2016.

This upgrade was prompted with the emergence of the PAC Validation failed as outlined in the article here - while this article does cover Tata signs of the problem this guy primarily focuses on upgrading your CRM and server to a supported edition so you can diagnose further with Microsoft.

After applying the updates, CRM authentication failed, preventing users from logging in. This guide outlines how to:

1. Identify the issue using Event Viewer logs.
2. Apply temporary registry key workarounds to restore authentication.
3. Upgrade CRM from 8.1 to 8.2 for better compatibility.
4. Install the KB5008603 hotfix on CRM servers to permanently resolve the issue.
5. Export IIS configuration on IIS 8.5
6. Upgrade Operating System to Server 2016
7. Import IIS configuration on IIS 10.0

Step 1: Diagnosing the Issue in Event Viewer

The first indication of the problem appears in Event Viewer under:

• Windows Logs → System

Look for this error:

During Kerberos Network Ticket Logon, the service ticket for Account <account_name> 
from Domain <domain_name> could not be forwarded to a Domain Controller to service 
the request.  
For more information, please visit https://go.microsoft.com/fwlink/?linkid=2262558.

Shortly after, you will see a second PAC validation failure error in Windows Logs → Security:

PAC validation failed for user <username> as authentication could not be completed.

These errors confirm that PAC validation is blocking authentication, leading to login failures in Dynamics CRM.

Step 2: Temporary Fix – Registry Key Bypass

To immediately restore authentication, apply the following temporary registry changes on the CRM servers:

Registry Keys (Set to Value = 2 for Compatibility Mode):

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Parameters
  - RequirePacSignature = 2
  - EnforcementMode = 2
  - ValidateKdcPacSignature = 2

Setting these values to 2 puts PAC validation into compatibility mode, allowing users to authenticate again.

Step 3: Upgrading CRM from 8.1 to 8.2

Once authentication is restored, the next step is upgrading CRM to improve compatibility with the new Kerberos security model.

1. Upgrade to Microsoft Dynamics CRM 2016 Service Pack v8.1.1.1005:

   • This applies all final v8.1 updates.

2. Upgrade to Dynamics 365 (8.2.0.0749):

   • This moves the system to v8.2, which has better authentication handling.

3. Upgrade to Dynamics 365 (on-premises) Update 2.28 (8.2.28.11):

   • This is the final v8.2 release, providing further stability improvements.

Step 4 : Backup the IIS configuration

Open an administrative Command Prompt on your Server 2012 R2 machine and run:

%windir%\system32\inetsrv\appcmd.exe add backup "CRMExport"

This creates a backup in the following location:

%windir%\System32\inetsrv\backup\CRMExport

We are upgrading the server so I would take this backup copy and copy it to a different folder to ensure if the upgrade process overrides this backup you can get it back, we need this backup BEFORE we upgrade to Server 2016.

Step 5 : Upgrade the Operating System

This however did not fix our issue so now CRM is upgraded we now need to upgrade the operating system to a supported version, which is this case is to move from Server 2012 R2 to Server 2016, so far that we need to mount the ISO image from the Server 2012 R2 installation.

This is first version to offer a Core version of the product (without the GUI) we need to ensure for this example that we select the "Desktop Experience" edition as below:

Then we need to ensure we keep all out personal file and applications as below:

You will then need to confirm that you accept that this should be a "clean install" and you may have further work to do after the upgrade has completed:

You now need to wait for Server 2016 to be installed once is has been this should be the login screen:

Now it has been upgraded we need to login to the server and start IIS manager however when you do start IIS manager you get this error as you have changed Windows SKU values on the upgrade:

True to its word you services have been disabled as you can see below, so at the moment you have no IIS running or working at all as the services have been disabled:

To get them back to working you will need to run these commands:

Set-Service -Name 'WAS' -StartupType Automatic
Start-Service -Name 'WAS'
Set-Service -Name 'W3SVC' -StartupType Automatic
Start-Service -Name 'W3SVC'
Restart-Service -Name 'IISADMIN'

Then we need to restore the backup we took earlier....

Step 6 : Restore the IIS Configuration

Copy the backup folder from the old server to the same path on your Server 2016 machine:

%windir%\System32\inetsrv\backup\CRMExport

Open an administrative Command Prompt on the Server 2016 machine and run:

%windir%\system32\inetsrv\appcmd.exe restore backup "CRMExport"

This will take a couple of moments, it will require the services to be running so if you have skipped that then do back and complete these steps.

IIS Configuration : Corrupt and Invalid?

This will restore the services however when you start the management tool you will notice that all the components and the "Application Pool" is completely missing which means Dynamics CRM will not function.

This is a problem, but why has this occured, it seems to be since the upgrade, well IIS Manager shows no sites or application pools because it is missing modules which you can observe in the Event Log we need to navigate to Application and then looks for the event IIS_IISMANAGER with the Event ID that is 5, you will get lots of these entries:

IIS has failed to load the modules because we have moved from IIS 8.5 to IIS 10.0 with the upgrade and the configuration file will still be referencing the older modules for Server 2012 R2, this is where we need to user notepad to "find and replace" all the instances of "8.5" and update those to "10.0" this will need to be completed in the file administration.config

This file will be found in the location, before we edit this you should take a backup copy of this file as human error can occur:

%windir%/\System32\inetsrv\config\administration.config

You can see here that I have indeed taken a backup copy of the file as .clean.install we can use whatever extension is required but its always a good idea to backup these files:

When you have this file open, for which I used Notepad, from the menu choose Edit>Replace... then you need to enter this as below:

Then click "Replace All" and save that resulting file, when that file is saved you then want to be restart the IIS manager and this time it should look more presentable with the CRM deployment application pool and the modules should now be visible as well as below:

You will now see all the modules reappear which before was empty, we are now regaining control back to IIS.

While the IIS manager does load you may still notice a couple of "left over errors" for the "SharedConfigModuleProvider" as even with this set to v10.0 this does not fix the problem with Server 2016 using a different module name, so I would remove this entry from the administration.config to prevent errors:

If you use this module then you need to get this back as well, so in order to restore the "Delegation" and "Shared Configuration Modules" you need to add this to the administration.config under the <Server Modules> tag section:

        <add name="Delegation" type="Microsoft.Web.Management.Features.Delegation.DelegationModuleProvider, Microsoft.Web.Management, Version=7.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

        <add name="SharedConfig" type="Microsoft.Web.Management.Features.SharedConfig.SharedConfigModuleProvider, Microsoft.Web.Management.Extensions, Version=10.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

This will then restore the modules as you can see below, so we are now back to normal with IIS but on Server 2016.

When you have got to this point you will have successfully upgraded the operating system and the version of CRM - this does not solve the problem of the authentication issue, which is covered in a different post on this blog, however, it does get you to supported configuration.

Final Outcome

✅ Temporary registry key bypasses (Value = 2) restored authentication.
✅ Upgrading CRM from v8.1 to Dynamics 365 (8.2.28.11) improved compatibility.
✅ Upgrading from Server 2012 R2 to Server 2016
✅ Backup and Restore IIS configuration
✅ Rebuild administration.config for IIS v10
❌ Fix PAC authentication issues during CRM login (that is covered in another article)