Consider the following scenario:

  • You have a domain that contains Windows Server 2003-based domain controllers, Windows Server 2008-based domain controllers, and Windows Server 2008 R2-based domain controllers.
    Note Windows Server 2008 R2-based domain controllers are not required to experience this issue.
  • You disable the Data Encryption Standard (DES) encryption type by using the Network security: Configure encryption types allowed for Kerberos Group Policy setting in the domain.
  • You restart the Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2-based domain member or domain controller.
    In this scenario, the computer may not function correctly after you restart it.

For example, you cannot contact services on the computer, such as remote procedure call (RPC) requests or Lightweight Directory Access Protocol (LDAP) queries. You cannot logon interactively. If you remotely connect to the event log of an affected domain controller that is running a DNS server, you find there are many event ID 4000 and event ID 4007 errors logged by the DNS Server service. These event ID errors are logged by the DNS Server service if the domain controller provides DNS services.


  • In most cases the error in LDAP is as follows:


  • There may be other error events triggered by services or applications that use the local computer identity to access local resources through other user mode services. For example, a middleware application that uses a local SQL back-end.

Leave a Reply