Back to AD again and need to upgrade it from 2003 to 2012/R2. There are some changes on Kerberos encryption type since 2003, and need to look into it.
For AD 2003, DES & RC4 are supported by default, and the default encryption type for Windows XP and server 2003 client is RC4.
For AD 2008 R2, DES is disabled and only RC4 and AES are support by default. The default encryption type for a Vista/Win7 client is AES256.
Some unix applications are using Kerberos authenticate against AD 2003 and encrypted by DES via SPN object. To identify those objects in AD 2003, this is the ldap script: (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.1135188.8.131.523:=2097152))