This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 67%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
Hello,
I need some advice here, as the current environment contain Parent domain & 2 child domains. Due to some security policy RC4 has been disabled for all domain controllers. I noticed while doing health check or manual repadmin /replsum etc.
Seem to getting AD health check is unhealthy.
[DC2] DsBindWithSpnEx() failed with error 5,
Access is denied..
Warning: DC2 is the Schema Owner, but is not responding to DS RPC Bind.
[DC1] DsBindWithSpnEx() failed with error 5,
Access is denied..
Warning: DC1 is the PDC Owner, but is not responding to DS RPC Bind
Does it necessary to enable AES Encryption?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @RussellAng-0425,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Hello @RussellAng-0425,
I'm just following up to make sure you received my last reply and that my answers properly address your questions. If you have any further questions or concerns about this post, please let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Hello @Daisy Zhou ,
Last question, Since AES is enabled by default.
Hello @RussellAng-0425,
Thank you for your update.
I am sorry, I cannot explain it clearly.
Q: Last question, Since AES is enabled by default. Require to enable for child domain with domain trust?
A: Yes, AES is enabled by default in the same domain.
It is required to enable for Parent-Child domain with domain trust.
Parent domain and child domain use the default Parent-Child trusts, but this trusts by default uses RC4 as ETYPE for Kerberos.
Now RC4 is disabled, so if you want to enable AES on this trust you need to enable this flag (disabled by default) in the trusts properties:
For more information, please refer to link below.
Tough Questions Answered: Can I disable RC4 Etype for Kerberos on Windows 10?
https://techcommunity.microsoft.com/t5/itops-talk-blog/tough-questions-answered-can-i-disable-rc4-etype-for-kerberos-on/ba-p/382718
Hope the information above is helpful to you.
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.