Missing Kerberos Account Assignments after SfB Server 2015 In-place Upgrade

Recently we were asked why in a multi site deployment the Kerberos Account Assignments disappeared on a global level, after a single site performed an In-Place Upgrade to Skype for Business Server 2015.

When we look at the planning details for the In-Place Upgrade to Skype for Business Server 2015, it mentions that we need to have additional considerations if we previously deployed Kerberos Authentication:

Kerberos authentication considerations
If you use Kerberos authentication for Web Services, you must reassign Kerberos accounts and reset the password after the In-Place Upgrade is complete. To learn how to do this, see Setting up Kerberos authentication.

Plan to upgrade to Skype for Business Server 2015
https://technet.microsoft.com/en-gb/library/dn951396.aspx

Then, when we use the Skype for Business Server 2015 In-Place Upgrade Setup, we can see that one of the steps is Deleting Kerberos Assignments:

RemKerberos01

During this step, all Kerberos Accounts Assignments from all sites in the Lync/SfB environment will be removed and not just for the current site where the pool belongs.

Here is an example from the lab before running the In-Place Upgrade Setup:

RemKerberos02a

And after running the In-Place Upgrade:

RemKerberos03

Please keep in mind that every time we use Skype for Business Server 2015 In-Place Upgrade Setup to upgrade a Front End / Mediation / Director / Persistent Chat Server, the Kerberos Accounts Assignment will be removed.

As reference, the Kerberos Account Assignments are stored in the CMS (XDS Database). We can use the following query in order to obtain the XML document that contains them:

USE XDS
SELECT it.ItemId, it.BatchId, it.BatchPartialVersion, it.Data
FROM [xds].[dbo].[Item] it, [xds].[dbo].[Document] doc
WHERE it.DocId = doc.DocId
AND doc.Name like ‘%Kerberos%’

RemKerberos04

And inside the XML document:

RemKerberos05