This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 47%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECD%3C/text%3E%3C/svg%3E)
In Microsoft official information (such as here: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 and here: https://support.microsoft.com/en-ie/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows) it is advised to enable additional logging to find detail of clients that are sending unsecured LDAP binds to domain controllers. I have enabled this logging on domain controllers and as expected, lots of events with id 2889 are being logged providing detail.
However there are no events with id 3039 being logged. I would expect these to be logged as there are event id 3040 being logged saying that "during the previous 24 hour period, # of unprotected LDAPs binds were performed". Can anyone explain why I am not seeing any events 3039? All domain controllers have recent patches installed.
Any help appreciated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Have you checked in the Directory Service event log with event source = Microsoft-Windows-ActiveDirectory_DomainService ? https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
Hi, thanks for the response.
There are no 3039 events with any event source in the Directory Service log.
Yet there are summary events with event id 3040 saying that "During the previous 24 hours period, 1 unprotected LDAPS binds were performed. "
So why is there no 3039 event showing me the detail of that LDAPS bind?
As mentioned above, all domain controllers have recent patches installed which is a prerequisite for getting the 3039 events.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 33%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
Hi guys
I'm seeing the same behavior.
I'm investigating further...
Hi @Simon Berg
I have just seen your reply now. Did you find out anything else?
I am taking it that if there are no 3039 events then there isn't an issue. However the appearance of 3040 events is a bit worrying.
No unfortunately i did not find an answer.
Maybe we should post this question to the Active Directory Team Blog
https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/bg-p/AskDS