Configuring LDAPS on domain controllers running on Windows Server 2008 and Windows Server 2012


start the LDP utility and try to connect to the 127.0.0.1 address on the 636 port using SSL. The connection will be failed

issue a certificate for the domain controller and save it along with a private key within a PKCS#12 file as described here and here. The certificate should meet the following requirements:

the issuer is trusted both by the domain controller and LDAPS clients

the extended key usage attribute includes the server authentication OID (1.3.6.1.5.5.7.3.1)

the FQDN of the domain controller is included into the subject field or the subject alternative name extension

open the “Certificates – Service account – Local computer – Active Directory Domain Services” console and import the certificate and the private key from the PKCS#12 file into the “NTDS\Personal” certificate store

Comment: changes apply immediately thus there is no need to reboot the server or restart any services

start the LDP utility and try to connect to the 127.0.0.1 address on the 636 port using SSL. The connection will be successfully established

Leave a Reply