Link to home
Start Free TrialLog in
Avatar of Paul Walsh
Paul Walsh

asked on

LDAPS Adoption

Hi All,

We have two 2008 R2 servers with the default settings. I know 2008 is EOL we are updating them shortly..... Ahead of the LDAPS switch over in March I have enabled the deeper diagnostic logging on the event viewer to discover which devices are current ussing unsecured LDAP in our environment. Given the fact that we havent manually made the enforcement of LDAPS on the server yet, am I able to start chaging how these device communicate with AD. Can I configure them to use LDAPS and will the server accept this or reject it.

If it is possible I would like to get these devices using LDAPS before we apply the enforcement on the server.

Thanks for your help.
Paul
Avatar of Jeff Glover
Jeff Glover
Flag of United States of America image

Unfortunately, I don't have any 2008 servers in my environment, we have 2016 and 2019 but I think the registry setting is the same. Run the following command from an elevated command prompt on your DC(s).

Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2

If you are not sure and do not want to run this cold, just navigate to the key in regedit and manually set it to 2

This will enable a higher level of logging on your DCs. Insecure LDAP connections will give you an event 2889 in the Directory Service Event log. You can either filter the log for these events  or copy and  run the script found here (let it sit for 24 hours or so before checking)

https://github.com/russelltomkins/Active-Directory/blob/master/Query-InsecureLDAPBinds.ps1

It will give you a csv file with all insecure connections. ( much easier You may have to run it a few times to get them all. This worked for us.
It seems you're asking whether you can use LDAPS to communicate with your servers/DCs before the March update.  Certainly!  LDAPS has been around for many years.  Now whether you have your DCs configured correctly is another question.

One method you can use to test is by using ldp.exe.  For the connection, specify to use port 636 (or even 3269 for the global catalog) and check the box for SSL.
Avatar of Paul Walsh
Paul Walsh

ASKER

Fantastic thankyou, any pointers on the correct way to setup the server for leaps if it isn’t already?

cheers,
Paul
SOLUTION
Avatar of footech
footech
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi,

Thankyou for all your help. We dont currenlty have the Certificate Services Roles installed on any of our DC's. Would you recommend enabling this role. I have read that enabling this just for LDAPS is a bit over kill. What do you think?
First off, I must apologize. I misread your initial message and missed that you had already done the logging. It is not recommended that you put the Certificate Services Role on a DC but if you do not have extra servers, you can. However, it means you cannot demote the server without removing the role and transferring it to another server (or retiring it). You can use Self-Signed certs on the DCs for LDAPS but  it then boils down to installing these certs as trusted root CA certificates on the appliances or end nodes needing to connect via LDAPS.
  Personally, it makes things easier to have it and does not cost more. You just need to know the limitations.
Hi,
Thankyou. As we will upgrading the domain and retiring the old dc boxes as soon as possible it makes sense to have it in its own box. Is it ok to have a 2016 server for the CA role that will certify the current 2008 DCs? assuming yes once up and running I am assuming I will need to request a cert from each dc and install. Will I need to install both certs to each end node that will be using ldaps? After that is everything good to go?

Thanks for all your help
Paul
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I highly recommend using the Kerberos Authentication Template (rather than any of the earlier templates) as in the link I provided.  You can make a copy of that template and modify it if you need to, but I would start there.
Great stuff, thanks for all your help.