For security reasons, you may need to disable SSLv2 on a domain controller to force secure LDAP communication using SSLv3 or TLSv1. The following article,
What is the Point of Encryption if you Don't Know Who For? offers a description and comparison between SSLv2, SSLv3, and TLSv1 encryption methods (see the section, SSLv2 versus SSLv3/TLSv1 and Assurance
To disable SSLv2 on a Windows Server 2008 or Windows Server 2008 R2 domain controller perform the following steps:
Open the registry and create a key named
Server under the following entry :
Under the registry key
Server, create a DWORD value named Enabled and change the value data to
For more information see KB 245030: How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll
If you have any applications that connect to the domain controller using SSL v2.0, they will fail to connect. You can use a network monitoring tool to analyze network traffic to see if there are any packets using SSL v2.0.
This article was derived from the DS forum post, Is it possible to disable SSLv2 on a Windows 2008
domain controller so that secure LDAP communication is forced to use SSLv3 or TLSv1? (http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/1cf01f33-9cbe-4b76-b01c-83923c4cda04).