For security reasons, you may need to disable SSLv2 on a domain  controller to force secure LDAP communication using SSLv3 or TLSv1.  The following article, What is the Point of Encryption if you Don't Know Who For? offers  a description and comparison between SSLv2, SSLv3, and TLSv1 encryption methods (see the section, SSLv2 versus SSLv3/TLSv1 and Assurance Level). 


To disable SSLv2 on a Windows Server 2008 or Windows Server 2008 R2 domain controller perform the following steps:

  1. Open the registry and create a key named Server under the following entry :

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

  2.  Under the registry key Server, create a DWORD value named Enabled and change the value data to 00000000.

  3. Reboot.

For more information see KB 245030:  How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll

 If you have any applications that connect to the domain controller using SSL v2.0, they will fail to connect.  You can use a network monitoring tool to analyze network traffic to see if there are any packets using SSL v2.0.

Related References

This article was derived from the DS forum post, Is it possible to disable SSLv2 on a Windows 2008 domain controller so that secure LDAP communication is forced to use SSLv3 or TLSv1? (