7,023 questions
Hello @Anonymous ,
Last question, Since AES is enabled by default.
- Require to enable for child domain with domain trust?
Domain Controllers replicate error code 110
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 67%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
Russell Ang
66
Reputation points
Hello,
I need some advice here, as the current environment contain Parent domain & 2 child domains. Due to some security policy RC4 has been disabled for all domain controllers. I noticed while doing health check or manual repadmin /replsum etc.
Seem to getting AD health check is unhealthy.
[DC2] DsBindWithSpnEx() failed with error 5,
Access is denied..
Warning: DC2 is the Schema Owner, but is not responding to DS RPC Bind.
[DC1] DsBindWithSpnEx() failed with error 5,
Access is denied..
Warning: DC1 is the PDC Owner, but is not responding to DS RPC Bind
Does it necessary to enable AES Encryption?
Windows for business Windows Client for IT Pros Directory services Active Directory
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2021-07-30T02:19:27.627+00:00 Hello @RussellAng-0425,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.Best Regards,
Daisy Zhou============================================
If the Answer is helpful, please click "Accept Answer" and upvote it. -
Anonymous
2021-08-02T02:56:08.763+00:00 Hello @RussellAng-0425,
I'm just following up to make sure you received my last reply and that my answers properly address your questions. If you have any further questions or concerns about this post, please let us know.Best Regards,
Daisy Zhou============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Sign in to comment
7 answers
Sort by: Most helpful
-
Russell Ang 66 Reputation points
2021-07-27T01:37:51.787+00:00 -
Anonymous
2021-07-28T03:50:36.867+00:00 Hello @RussellAng-0425,
Thank you for your update.
I am sorry, I cannot explain it clearly.
Q: Last question, Since AES is enabled by default. Require to enable for child domain with domain trust?
A: Yes, AES is enabled by default in the same domain.It is required to enable for Parent-Child domain with domain trust.
Parent domain and child domain use the default Parent-Child trusts, but this trusts by default uses RC4 as ETYPE for Kerberos.
Now RC4 is disabled, so if you want to enable AES on this trust you need to enable this flag (disabled by default) in the trusts properties:
For more information, please refer to link below.
Tough Questions Answered: Can I disable RC4 Etype for Kerberos on Windows 10?
https://techcommunity.microsoft.com/t5/itops-talk-blog/tough-questions-answered-can-i-disable-rc4-etype-for-kerberos-on/ba-p/382718Hope the information above is helpful to you.
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.