Answer accepted by question author
What you’re proposing will technically work in pieces, but not overall. Active Directory does not proxy or “front” client authentication through a specific domain controller. Legacy clients don’t authenticate “via” one DC that then talks to others on their behalf - they directly negotiate authentication with whatever DC they contact. Replication only synchronizes directory data, not authentication protocol behavior. Because of that, enabling weak protocols on one DC does not isolate the rest of the domain if those clients can still reach other DCs.
If you want true containment, you need to combine protocol enablement with strict network isolation and client targeting. The legacy DC must be reachable only by legacy systems, and legacy systems must only be able to reach that DC. This is usually done with VLAN segmentation and firewall rules that explicitly allow Kerberos, LDAP, SMB, RPC, and DNS only between the legacy subnet and that specific DC, while blocking those same ports to all other domain controllers. Without that, Windows 7/2008 systems will still attempt to use modern DCs and fail in unpredictable ways.
On the Windows Server 2022 domain controller itself, you can re-enable older protocols, but several are disabled by default for good reason. SMB1 can be installed as a feature, NTLMv1 can be allowed through security policy, and TLS 1.0/1.1 plus legacy ciphers like RC4 and DES can be re-enabled through Schannel registry settings. Be aware that DES is effectively deprecated even in AD and may require explicit account-level configuration, and some newer domain functional level defaults actively discourage or ignore it.
To enable SMB1:
Install-WindowsFeature FS-SMB1
To relax NTLM restrictions:
secpol.msc
Security Settings -> Local Policies -> Security Options
Network security: LAN Manager authentication level = Send LM & NTLM responses
To allow NTLMv1 specifically:
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v LmCompatibilityLevel /t REG_DWORD /d 1 /f
For TLS 1.0 and 1.1 and weak ciphers, you modify Schannel:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 1 /f
RC4 and DES require enabling cipher suites, often via group policy:
Computer Configuration -> Administrative Templates -> Network -> SSL Configuration Settings
and explicitly adding legacy suites if they are removed.
For DES in Active Directory, accounts must allow it:
Set-ADUser username -UseDESKeyOnly $true
You also need to consider Kerberos encryption types:
Set-ADAccountControl username -AllowReversiblePasswordEncryption $true
although reversible encryption is extremely risky and should only be used if absolutely required by the application.
DNS is another critical piece. If legacy clients use standard domain DNS, they will discover all domain controllers. To prevent that, either give them a separate DNS zone view that only returns the legacy DC’s SRV records, or point them to a dedicated DNS server that only registers that DC. Otherwise, SRV record discovery will break your isolation.
Replication between your legacy-enabled DC and modern DCs will still use modern secure protocols (RPC with Kerberos and strong ciphers), so that part is fine. The security risk is not replication; it is lateral exposure if a compromised legacy client can reach newer DCs or if weak protocols are accidentally enabled domain-wide via Group Policy.
A safer pattern in practice is to create a completely separate forest for legacy systems with a one-way trust to the modern environment, or even no trust at all, and use application-layer bridges instead of identity sharing. If you must keep a single domain, the isolation must be enforced at the network and DNS level, not just by configuring one permissive domain controller.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin
-
Marcin Policht 92,630 Reputation points • MVP • Volunteer Moderator
If the client computers you are referring to have static or reserved IP addresses, you can actually create a designated AD site (by creating an AD subnet that contains all of these IP addresses) and then associate the domain controller in question with that AD site. This way, by default, all clients will use that DC for authentication (due to site affinity)
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin
-
Andrew Ang 40 Reputation points
May I know the steps for configuration to achieve what you advised below? Thanks.
DNS is another critical piece. If legacy clients use standard domain DNS, they will discover all domain controllers. To prevent that, either give them a separate DNS zone view that only returns the legacy DC’s SRV records, or point them to a dedicated DNS server that only registers that DC. Otherwise, SRV record discovery will break your isolation.
Replication between your legacy-enabled DC and modern DCs will still use modern secure protocols (RPC with Kerberos and strong ciphers), so that part is fine. The security risk is not replication; it is lateral exposure if a compromised legacy client can reach newer DCs or if weak protocols are accidentally enabled domain-wide via Group Policy
-
Andrew Ang 40 Reputation points
Thank you. (By creating an AD subnet that includes all of these IP addresses), do I need to include the entire client subnet or can I only include IP addresses used by the Windows 7 and Windows 2008 clients?
Sign in to comment