In the GUI (Active Directory Domains and Trusts MMC Snap-in (domain.msc)), you can set the "The other domain supports Kerberos AES Encryption" setting for a trust relationship:
I am looking for a way to set this setting programmatically. I already reviewed the Install-ADDSDomain PowerShell cmdlet and also the netdom TRUST tool, but both do not seem to include an option to set the Kerberos AES encryption setting.
Can someone tell me, how I can set this setting programmatically?
This can be done with ksetup:
ksetup /setenctypeattr <THE_OTHER_DOMAIN> AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96
See also this documentation. Be aware where you execute this command for which domain. You can only use it to set the encryption types for the other domain. So if you are on a DC of child.contoso.com, you can issue:
ksetup /setenctypeattr contoso.com AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96
If you are on a DC of contoso.com, you can issue:
ksetup /setenctypeattr child.contoso.com AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96
Other combinations are not possible and you may face the following problems: