Not getting any LDAP 3039 events even though logging is enabled

Cormac Doyle 1 Reputation point

In Microsoft official information (such as here: and here: it is advised to enable additional logging to find detail of clients that are sending unsecured LDAP binds to domain controllers. I have enabled this logging on domain controllers and as expected, lots of events with id 2889 are being logged providing detail.

However there are no events with id 3039 being logged. I would expect these to be logged as there are event id 3040 being logged saying that "during the previous 24 hour period, # of unprotected LDAPs binds were performed". Can anyone explain why I am not seeing any events 3039? All domain controllers have recent patches installed.

Any help appreciated.

Microsoft Entra
{count} votes

4 answers

Sort by: Most helpful
  1. Cormac Doyle 1 Reputation point

    Hi, thanks for the response.

    There are no 3039 events with any event source in the Directory Service log.

    Yet there are summary events with event id 3040 saying that "During the previous 24 hours period, 1 unprotected LDAPS binds were performed. "
    So why is there no 3039 event showing me the detail of that LDAPS bind?

    As mentioned above, all domain controllers have recent patches installed which is a prerequisite for getting the 3039 events.

    0 comments No comments

  2. Simon Berg 1 Reputation point

    Hi guys

    I'm seeing the same behavior.

    I'm investigating further...

    0 comments No comments

  3. Cormac Doyle 1 Reputation point

    Hi @Simon Berg

    I have just seen your reply now. Did you find out anything else?
    I am taking it that if there are no 3039 events then there isn't an issue. However the appearance of 3040 events is a bit worrying.

    0 comments No comments

  4. Simon Berg 1 Reputation point

    Hi @Cormac Doyle

    No unfortunately i did not find an answer.
    Maybe we should post this question to the Active Directory Team Blog

    0 comments No comments