Hi All,<\/p>\n
DC’s are 2016 as is functional level.<\/p>\n
DCs are 2016<\/p>\n
We have a legacy systems like XP,2000,2003,2008 server.<\/p>\n
I know everyone says to decom the old servers, but our go live to replace them is like First week of april<\/p>\n
I have not applied the patches to our DC. I also our network security:configure encryption types allowed GPO is NOT defined.<\/p>\n
My questions are :<\/p>\n
1 – Lets say , when applying Microsoft’s January patch it would break the Kerberos authentication for Legacy OSes ?<\/p>\n
2 – In ADUC, can I resolve the issue by explictly setting RC4 (0x4 (RC4_HMAC_MD5)) in msDS-SupportedEncryptionTypes for the computer objects of the target ( legacy OS) ?<\/p>\n
3- I have noticed that when I run the script I get a report that There are 63 objects that do not have AES Keys generated. How should I interpret this?<\/p>\n
Only is it enough password reset ? how happened computer objects ? rejoin ?<\/p>\n
4 – Do I have to change the DefaultEncryptionType in the DCs registry settings ?<\/p>\n
HKLM\\System\\CurrentControlSet\\Services\\KDC<\/p>\n
Value Type: REG_DWORD<\/p>\n
Value Name: DefaultDomainSupportedEncTypes<\/p>\n
Value : 0x3C ( AES256_CTS_HMAC_SHA1_96_SK (Session Key))<\/p>\n
5 – AFAIK, Support for AES256_CTS_HMAC_SHA1_96_SK (Session Key) based session keys started with Windows Vista\/2008, so any legacy OS prior to this date will not support this encryption type. is it enough below reg setting for legacy OS?<\/p>\n
Value Name: DefaultDomainSupportedEncTypes<\/p>\n
Value : 0x3C ( AES256_CTS_HMAC_SHA1_96_SK (Session Key))<\/p>\n
<\/p>\n
Please help me on above my qquestions.<\/p>\n
Thank you in Advance.<\/p>\n
Regards<\/p>\n
Vipan<\/p>\n","protected":false},"author":1,"comment_status":"open","ping_status":"closed","template":"","question-category":[12],"question_tags":[],"class_list":["post-733","question","type-question","status-publish","hentry","question-category-active-directory"],"yoast_head":"\n