Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
SUMMARY
By default, Active Directory administrative tools in the
Windows Server 2003 family sign and encrypt all Lightweight Directory Access
Protocol (LDAP) traffic. Signing LDAP traffic guarantees that the packaged data
comes from a known source, has not been tampered with and does not hit the wire
in clear text where network trace utilities like Network Monitor can view it.
Active Directory administration tools may also negotiate by using the NTLM
authentication protocol instead of LDAP signing. Two scenarios that invoke NTLM
authentication include the following scenarios:
- The administration of Windows 2000 domain controllers that
are located in an external forest that is connected by earlier-version
trusts.
- Focusing MMC snap-ins against a specific domain controller
that is referenced by its IP address. For example, you click
Start, click Run, and then type
dsa.msc /server=x.x.x.x,
where x.x.x.x is the IP address of the domain
controller.
To use these Windows Server 2003 Active Directory
administrative tools when NTLM authentication is negotiated with Microsoft
Windows 2000-based domain controllers, administrators must take either of the
following actions:
- Install Windows 2000 Service Pack 3 (SP3) on Windows
2000-based domain controllers.
-or- - Turn off LDAP signing and sealing in the registry of the
client computer that is running the administrative tools, and then restart the
tools on the client.
The Windows Server 2003 snap-ins and command-line tools
that automatically secure LDAP traffic over the network include:
- Active Directory Domains and Trusts
- Active Directory Sites and Services
- Active Directory Schema
- Active Directory Users and Computers
- ADSI Edit
- Dsmove.exe
- Dsrm.exe
- Dsadd.exe
- Dsget.exe
- Dsmod.exe
- Dsquery.exe
- Group Policy Management Console
- Object Picker
To maintain a secure network, Microsoft recommends that you
sign and encrypt administrative LDAP traffic by deploying the Windows Server
2003 administrative tools exclusively on Microsoft Windows XP and Windows
Server 2003 member computers and Windows Server 2003 and Windows 2000 Service
Pack 4 (SP4) domain controllers.
With Windows 2000 Service Pack 2 and Earlier
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.To use the Windows Server 2003 Active Directory
administrative tools to manage Windows 2000-based domain controllers with
Windows 2000 Service Pack 2 (SP2) or earlier installed when NTLM authentication is
negotiated, you can configure the administrative tools to communicate by using
non-secured LDAP traffic. To disable signed or encrypted LDAP traffic use the following steps:
- Open Registry Editor.
- In Registry Editor, locate to the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AdminDebug\ADsOpenObjectFlags.
- Click Edit, point to New, and then click DWORD Value.
- In the text box that appears, type ADsOpenObjectFlags and then press enter.
- Double-click the ADsOpenObjectFlags registry key you just created, and then change the Value Data to one of the following values
| Value Data (Hexadecimal) | Disables |
| 1 | Signing |
| 2 | Encryption |
| 3 | Encryption and Signing |
Caution This procedure will disable the use of signed or encrypted LDAP traffic for some Active Directory administrative tools. We recommend that you avoid disabling this feature.
To turn off the signature and encryption of LDAP
traffic for the Windows Server 2003 Active Directory tools, set the
ADsOpenObjectFlags value to
0x03 in the following registry key on the client computer:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AdminDebug\ADsOpenObjectFlags
Restart the administrative tools after you set the
ADsOpenObjectFlags
registry key. Administrators can also use Windows 2000 versions of the tools
against Windows 2000-based domain controllers with SP2 or earlier on Windows
2000-based clients and servers. The client may not negotiate a connection with
the earlier-version server if the client tries to authenticate by using NTLM.
For example, this may occur in cross-forest trusts or when the client tries to
connect to the server by means of an IP address.
The Windows Server 2003 snap-ins and command-line tools
that automatically secure LDAP traffic over the network. Possible error
messages include:
Active Directory Domains and
Trusts: The configuration information describing this enterprise is not
available. The server is not operational, or the configuration information
describing this enterprise in not available. The directory service is not
available. Contact your system administrator to verify that you domain is
properly configured and is currently online.
Active Directory Sites and
Services Naming information cannot be located because: The directory service is
not available. Contact your system administrator to verify that you domain is
properly configured and is currently online.
Windows cannot connect to the new
forest because: The server is not operational.
Active Directory Schema: The
Domain Controller could not be set. The directory service is
unavailable.
Active Directory Users and
Computers Windows cannot connect to the new domain because: The server is not
operational.
Naming information cannot be
located because: The directory service is not available. Contact your system
administrator to verify that you domain is properly configured and is currently
online.
ADSI Edit - Dsmove.exe dsmove
failed: dn of object: The directory service is unavailable .
Dsrm.exe dsrm failed: The
directory service is unavailable.
Dsadd.exe dsadd failed: <dn of
object>: The directory service is unavailable.
Dsget.exe dsget failed: The
directory service is unavailable.
Dsmod.exe dsmod failed: dn of object :The directory service is unavailable.
Dsquery.exe dsquery failed: The
directory service is unavailable.
Group Policy Management Console:
The specified network resource or device is no longer
available.
Object Picker Object Not
Found.