Disable TLS 1.0 and TLS 1.1 on Windows 2008 R2 Domain Controller


  • Hello Friends,

    During the security audit we have been suggested to disable TLS 1.0 and TLS 1.1 on all our domain controllers, recommendation is only enable the TLS 1.2, we have downloaded the required hotfix to enable TLS 1.1 and TLS 1.2 support for remote desktop and that hotfix has been tested in test lab.

    Now we are planning to disable the TLS 1.0, TLS 1.1 on DC's in production environment however just to be safe and avoid impact we tested the same in AD test environment and result is as per below...

    1. Downloaded the RDP hotfix and Installed to allow RDP support when TLS 1.0 is disabled, this is required as Windows 2008 R2 does not support TLS 1.1 and TLS 1.2 for RDP connections.

    2. Checked LDAPS (Port 636) connection using LDP.exe with targeted test dc from other Windows 2008 R2 server, connection successful and found that TLS 1.0 is being used. (Verified using WireShark).

    3. Downloaded IISCrypto tool (Version 1.6 Build 7), Clicked on Best Practices template and rebooted the DC. (Best Practices does not disable the TLS 1.0).

    4. After reboot checked LDAP secure connection, able to connect to LDAPS (Port 636) TLS 1.0 is being used.

    5. Manually removed TLS 1.0 (kept TLS 1.1 & TLS 1.2) using IISCrypto, applied and rebooted the DC.

    6. After Reboot i was not able to connect to DC on 636 port using ldp.exe.

    7. Re-enabled the TLS 1.0 and rebooted the server.

    8. After reboot i am now able to connect to DC on 636 port using LDP.exe.

    Now question : Is TLS 1.0 is always required to be enabled on DC to allow secure LDAP connection? Is there any way to set the LDAP to use TLS 1.2? In our environment there are only 2-3 servers which are using secure LDAP (Port 636) to connect to DC and those are using TLS 1.0 protocol, we are in the process of enabling the TLS 1.2 support in those application and post that we want to disable the TLS 1.0 and TLS 1.1 on all DC's, since testing was not successfully we are now struck. Please assist. 


    Friday, December 2, 2016 4:55 AM

All replies