AD 2003 Upgrading – DES

Back to AD again and need to upgrade it from 2003 to 2012/R2. There are some changes on Kerberos encryption type since 2003, and need to look into it.

For AD 2003, DES & RC4 are supported by default, and the default encryption type for Windows XP and server 2003 client is RC4.

For AD 2008 R2, DES is disabled and only RC4 and AES are support by default. The default encryption type for a Vista/Win7 client is AES256.

Some unix applications are using Kerberos authenticate against AD 2003 and encrypted by DES via SPN object. To identify those objects in AD 2003, this is the ldap script: (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2097152))


How to use the UserAccountControl flags to manipulate user account properties

How to Get a Users UserAccountControl Setting from AD Without Using the ActiveDirectory PowerShell Module


This entry was posted in AD. Bookmark the permalink.

1 Response to AD 2003 Upgrading – DES

  1. jonsonyang says:

    more samples on UAC
    How to Query Individual Properties of the “userAccountControl” Active Directory User property using LDAP

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s