This year we upgraded our domain to Windows 2008 R2 and it has completed with success. We have two DC having the roles of ADS, DNS and DHCP. They have been working fine for months. One little issue that we left aside for a while was the fact that LDAP signing hasn't been enforced so last week we set to correct that.
In following MS articles and suggestions we first turned the level of logging higher to detect which clients were requesting LDAP binding without signing. Over a period of one week we detected only three clients were doing such requests: an OpenFiler box, and our two SonicWALL routers. We have a configuration of two SonicWALL appliances, the 2040 Pro and the SSL-VPN 2000 with latest firmware (both updated last Saturday).
We proceeded to turn SSL/TSL signing on the 2040 Pro and it works fine though the DC logs the 36886 event from the Schannel source about "No suitable default server credential exists on this system".
We also turned the SSL/TSL signing on the OpenFiler but the DC stills logs the event 2889 reporting that this box performed a LDAP bind without requesting signing. We will try to deal with this box later but if someone have any ideas they are also welcome.
The one that really worries us is the SonicWALL SSL-VPN 2000 box which prevented users from signing in after we turned this on (see screen shot)
We went into the SonicWALL box and it won't even let us configure domains groups or edit them as long as SSL/TSL signing is checked; the box returns an error saying that the LDAP server could not be contacted. A soon as this check box is unchecked we can edit all the groups and the users can sign in again through SSL VPN. Users signing in through the SonicWALL 2040 Pro with L2TP tunnels have no problem, so this is an SSL-VPN box issue.
I have the feeling that this might have to do with the fact that the connections coming from the SSL-VPN box are in another network segment different from the internal LAN where the DC sits.
The internal LAN where the DC and clients sit is 192.168.1.0 the SSL-VPN box sits on the 192.168.200.0. The address of the SSL-VPN port connected to the firewall (2040 Pro) is the one reported on the 2889 LDAP errors on the DC.
As I mentioned before both DC are W2008 R2 with latest patches and updates. We are planning to add a RADIUS server on both DC to allow L2TP connections for domain users.
One more thing, the setting "Domain Controller:LDAP server signing requirements" is set to "None" under Policies>Windows Settings>Security Settings>Local Policies>Security Options on the Default Domain Controller Policy. I want to set it to "Require Signing" when there are no clients left that do unsigned bindings.
If you require more info please let me know.