Active directory: disable DES/RC4 and enable AES

To disable DES and RC4 encryption protocols and enable AES in your Active Directory environment, you can configure the encryption types allowed for Kerberos via Group Policy. Here are the steps you should follow:

1. Open Group Policy Management: Navigate to the Group Policy Management Console on your domain controller.
2. Edit the Default Domain Policy: Locate the Default Domain Policy or create a new GPO that will apply to your domain controllers.
3. Configure Encryption Types: Go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options. Look for the policy named Network security: Configure encryption types allowed for Kerberos.
4. Enable AES Encryption: Ensure that you check the options for AES128_HMAC_SHA1 and AES256_HMAC_SHA1 to enable AES encryption.
5. Disable RC4: If you want to disable RC4, make sure that it is not selected in the same policy settings.

Regarding the absence of Event ID 4769, this event indicates that a Kerberos ticket was requested. If you are not seeing these events, it may suggest that there are no requests for tickets using the RC4 encryption type, which could imply that your environment is ready to enable AES. However, it's essential to ensure that all systems in your environment support AES before making this change.

Always test the configuration in a controlled environment before applying it broadly to avoid any disruptions.

References:

• Turn off the AllowNT4Crypto setting on all the affected domain controllers
• Disable RC4 while installing Operations Manager