A few months ago, I switch from a Windows-based Active Directory environment and switch to a Linux alternative called Zentyal. And so far, everything works great. I was able to recreate my AD structure and recreate new group policies based on the ones from my old install.
The only thing I would recommend is taking plenty of backups of Zentyal especially before creating/modifying group policy. A few weeks ago I changed one setting which broke the SYSVOL share and when I tried to connect back to it with Windows Lightweight Active Directory Servies, it kept saying “Access Denied” even though I was logged into the Domain Admin account. Basically, I had to restore a backup to get the server up and running again
Getting back on track, to force Zentyal to use secure Kerberos encryption, we’ll need to make a backup and modify the group policy.
1. Open Group Policy Editor
Open the group policy editor and edit the “Default Domain Policy” and navigate to
- Computer Configuration
- Policies
- Windows Settings
- Security Settings
- Local Policies
- Security Options.
- Local Policies
- Security Settings
- Windows Settings
- Policies
2. Define Settings
Open the Network security: Configure encryption types allowed for Kerberos, click Enabled, and check only AES 256-bit (AES-256) and Future Encryption options. Then click “OK” and exit the group policy.
3. Repeat for Default DC Policy
Next, we’ll need to edit the “Default Domain Controller Policy” and define the same settings. So follow the steps above to configure the encryption types.
4. Enforce Group Policy
Right-click on the “Default Domain Policy” and click “Enforce”. Repeat the same steps for the “Default Domain Controller Policy” and that’s it. Your Zentyal based AD is now more secure by using stronger encryption between clients.