AD 2003 Upgrading – DES


Back to AD again and need to upgrade it from 2003 to 2012/R2. There are some changes on Kerberos encryption type since 2003, and need to look into it.

For AD 2003, DES & RC4 are supported by default, and the default encryption type for Windows XP and server 2003 client is RC4.

For AD 2008 R2, DES is disabled and only RC4 and AES are support by default. The default encryption type for a Vista/Win7 client is AES256.

Some unix applications are using Kerberos authenticate against AD 2003 and encrypted by DES via SPN object. To identify those objects in AD 2003, this is the ldap script: (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2097152))

Reference

How to use the UserAccountControl flags to manipulate user account properties

How to Get a Users UserAccountControl Setting from AD Without Using the ActiveDirectory PowerShell Module

 

Advertisements
This entry was posted in AD. Bookmark the permalink.

One Response to AD 2003 Upgrading – DES

  1. jonsonyang says:

    more samples on UAC
    How to Query Individual Properties of the “userAccountControl” Active Directory User property using LDAP
    http://blogs.msdn.com/b/muaddib/archive/2008/10/08/query-individual-properties-of-the-useraccountcontrol-active-directory-user-property.aspx

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s