Hello Phil,
Thank you for your question and for reaching out with your question today.
To enable LDAPS (LDAP over SSL) on a new domain controller, you will need to obtain and configure an SSL certificate for LDAPS communication. In an Active Directory environment, LDAPS requires a valid SSL certificate to secure the communication between the client and the domain controller.
Here are the steps to enable LDAPS and obtain an SSL certificate:
- Install Active Directory Certificate Services (AD CS):
If your coworker has already set up an internal CA on another domain controller, it's likely that AD CS is installed and operational. AD CS is used to issue SSL certificates within your domain, which can be used for LDAPS.
- Request an LDAPS Certificate:
To obtain an SSL certificate for LDAPS, you need to request a certificate with the following attributes:
- Subject Name: The FQDN (fully qualified domain name) of the domain controller. For example, dc1.example.com.
- Subject Alternative Name (SAN): Add the FQDNs of all domain controllers that will be listening for LDAPS requests. Include both the new RODC and the old 2008 server being replaced.
- Export and Import the Certificate:
Once the certificate is issued by your internal CA, export it (including the private key) from the CA's certificate store. Import the certificate into the "Personal" certificate store of the new domain controller.
- Assign the Certificate to LDAPS Service:
Open the "Certificates" snap-in on the new domain controller, locate the imported certificate, and then assign it to the LDAPS service. You can do this by using the "certutil" command in PowerShell or Command Prompt. The command looks like this:
certutil -dspublish -f "<path_to_LDAPS_certificate_file>" NTDS\Personal
- Restart Active Directory Domain Services: After assigning the certificate, restart the Active Directory Domain Services (NTDS) service on the domain controller.
- Configure the System to use LDAPS:
On the system that needs to issue LDAPS queries, ensure the following:
- AD Domain: Specify the domain name (e.g., example.com).
- AD Host Name: Enter the FQDN of the new domain controller that now has the LDAPS certificate.
- Username/Password: Provide the credentials of an account with appropriate permissions in the Active Directory.
- Protocol: Choose LDAPS.
- Port: Set it to 636.
With the proper SSL certificate installed on the new domain controller, it should now respond to LDAPS queries from the system, and the communication will be secured.
Note: It's essential to ensure that the root certificate of the internal CA that issued the LDAPS certificate is trusted on the system from which LDAPS queries are being made. Otherwise, the SSL handshake might fail due to an untrusted certificate chain.
I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.
If the reply was helpful, please don’t forget to upvote or accept as answer.