SSL on domain controllers

YurokLA 51 Reputation points
2020-11-18T23:22:18.963+00:00

Our internal and external domain is the same - domain.com, and for the internal users to be able to reach our website hosted externally, we installed IIS with redirection on all DCs. So when internal users type in http://domain.com they are redirected properly, but when https is used, it bombs. I believe it's because none of our DCs listen on 443, so all those https requests are dropped. My question is what is the best approach to remedy this, apart from renaming the domain?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,551 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vicky Wang 2,731 Reputation points
    2020-11-20T08:33:45.507+00:00

    You are looking to get your DCs to support BIND via LDAPS. To do this, you will need to add a certificate to your domain controllers' Personal Certificate Store that meets the following requirements. This certificate could either be from a locally housed Certificate Authority or a Third-Party Authority.

    The LDAPS certificate is located in the Local Computer's Personal certificate store (programmatically known as the computer's MY certificate store).
    A private key that matches the certificate is present in the Local Computer's store and is correctly associated with the certificate.
    The private key must not have strong private key protection enabled.
    The Enhanced Key Usage extension includes the Server Authentication (1.3.6.1.5.5.7.3.1) object identifier (also known as OID).
    The Active Directory fully qualified domain name of the domain controller (for example, DC01.DOMAIN.COM) must appear in one of the following places: The Common Name (CN) in the Subject field. DNS entry in the Subject Alternative Name extension.
    The certificate was issued by a CA that the domain controller and the LDAPS clients trust. Trust is established by configuring the clients and the server to trust the root CA to which the issuing CA chains.
    You must use the Schannel cryptographic service provider (CSP) to generate the key.
    The above was taken from KB321051: How to enable LDAP over SSL with a third-party certification authority.

    Additional information on how to setup a local CA for using LDAPS can be found at the following article: LDAP over SSL (LDAPS) Certificate

    Once your DCs have the proper certificate installed, LDAPS communication should automatically be enabled. You can verify this with ldp.exe as you were attempting to do.

    1 person found this answer helpful.
    0 comments No comments

5 additional answers

Sort by: Most helpful
  1. Anonymous
    2020-11-18T23:26:08.763+00:00

    This one may help.
    https://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/split-brain-dns-deployment

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments No comments

  2. YurokLA 51 Reputation points
    2020-11-19T00:30:33.353+00:00

    @Anonymous Thank you, good info, but unfortunately not what I'm looking for. We don't need a different answer for internal/external clients, we need our DCs to handle https://domain.com calls. Plus, our public DNS is handled by a separate server.

    0 comments No comments

  3. Anonymous
    2020-11-19T00:43:26.27+00:00

    You can follow along here.
    https://support.microsoft.com/en-us/help/324069/how-to-set-up-an-https-service-in-iis

    --please don't forget to Accept as answer if the reply is helpful--


  4. Anonymous
    2020-11-19T16:57:59.283+00:00

    What is the best practice

    Best practice is to install IIS on its own windows instance, never on a domain controller. The original problem you cited would be better addressed with a split brain setup.

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.