AD experts out there, you will be able to shed light on LDAP channel binding, LDAP signing, and Kerberos authentication. I have been reading the link below and states that the March 2020 update will enable LDAP signing on the Active Directory server by default. My understanding is that any device which use LDAP is going to be broken,
We have windows 2012 AD domain controllers and Windows 10 PCs, All the PC are part of the AD in this case they use Kerberos authentication so we do not need to worry about LDAP signing unless we use any non-AD device for LDAP query then we have to make sure that they use SSL/TLS, am I connect?
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-window
My next question,
Where and when do this LDAP channel binding and LDAP signing come into account in AD?
The first thing you need to do is download the LDAP query Powershell script from Github. Read this article for a link to the script repository.
Once you have that, you will need to follow the instructions to temporarily set the diagnostic logging level to 3 for all domain controllers.
You will let your domain controllers run like this for at least 24 hours and then run the script on each domain controller in an elevated Powershell process. The script will output a list of any process using simple or unsecured LDAP.