The idea is to try to force Kerberos authentication only. I can't find any tips on forcing it explicitly (even through group policies) but perhaps there's a firewall method to disable any [NT]LM auth and only allow Kerberos auth. I think some specific services may only allow NTLM (such as Telnet) and some services (such as IIS) may have to explicitly be configured to use Kerberos.
(edit) I should mention that I am not an expert on configuring Windows domains or their authentication (obviously) but according to some random guy I asked in IRC, if the SPN is set on a calling ID for a given service, Kerberos will always be used (or attempted anyway) and enabling TCP instead of UDP for the communication may help it get through firewalls etc (and solve some other login-related problems with UDP attempts). However, I think NTLM is the only one that can get through all manner of proxies, firewalls, etc (for IIS for example).
BTW, don't confuse hashes with authentication protocols. There is no such thing as an "NTLMv2 hash". NTLMv2 is an authentication protocol, and NTLM and LM are authentication protocos too. There is the LM hash and the LM authentication protocol dependent on it, of which both is insecure, but are two different things.
The article you point to is about LM hashes, not NTLM hashes. There is no way to stop using NTLM hashes on Windows.