This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 74%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Hi, Please help me to know if we can disable the protocols SSL 2.0, 3.0 and TLS 1.0 safely in Domain Controllers (Windows Server 2012 R2 STD 64bit operating systems) Thanks & Regards Sitaram
The link does mention ADFS but the steps to disable are the same. An OOB Active Directory does not require SSL/TLS
--please don't forget to Accept as answer if the reply is helpful--
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Sitaram Nayak ,
Thank you for posting here.
Before disabling SSL 2.0, SSL 3.0 and TLS 1.0 protocols in Domain Controllers, we had better ensure all machines and apps in your AD domain do not use SSL 2.0, SSL 3.0 and TLS 1.0 protocols and all machines and apps use TLS 1.1 or TLS 1.2.
So we can enable TLS 1.1 or TLS 1.2 and disable SSL 2.0, SSL 3.0 and TLS 1.0 protocols via GPO registry on all machines, in this way, Windows machines and Microsoft Apps should/will use TLS 1.1 or TLS 1.2.
However, if there are third-part apps/machines with non-Windows operating system or old Apps (WIndows or non-Windows) in your AD environement, you may consider if they support TLS 1.1 or TLS 1.2 (in other word, they may only support SSL 2.0, SSL 3.0 or TLS 1.0) before disabling SSL 2.0, SSL 3.0 and TLS 1.0 protocols.
Hope the information above is helpful.
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
Hi @Daisy Zhou
Thanks for your response. Is it must that we have to disable SSL 2.0, 3.0 protocols in client machines or do they just start using TLS 1.1 or 1.2 when they see SSL 2.0, 3.0 protocols are disabled in the domain controllers. I believe they will negotiate based on the available protocols. We have Windows 10 client machines and mostly Windows Server 2012 R2 in servers.
Thanks & Regards
Sitaram
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 12%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJR%3C/text%3E%3C/svg%3E)
How do you enable TLS 1.1 or TLS 1.2 and disable SSL 2.0, SSL 3.0 and TLS 1.0 protocols via GPO registry
You can follow along here.
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs
--please don't forget to Accept as answer if the reply is helpful--
Dear @Dave Patrick ,
Thanks for your response. The link mention about AD FS. We are only using AD DS role. I know the steps to disable these protocols in Windows Server but wanted to be confident that whether we can safely disable these protocols on Windows server running with the AD DS and DNS roles.
Thanks & Regards
Sitaram