How to stop ldap services to stop client from communicating to a DC?

Question

Hi,

I am trying to stop the communication between client and a DC. I do no want the replication to stop between DCs. I have stopped KDC and netlogon service but client still reaching to the DC.

Is there a way to stop the LDAP services?

Thanks

Answer 1

Ideal setup would be to put the DC in a diff site. If that's not possible, then you could increase the weight of LDAP service record for that DC and decrease the priority. However this set up is not a recommended one. You can refer https://blogs.msmvps.com/acefekay/2010/01/03/the-dc-locator-process-the-logon-process-controlling-which-dc-responds-in-an-ad-site-and-srv-records/ for more details. There is no out of the box way to control this behavior from the client side.

Answer 2

Hi,

Thanks for post.

According to my knowledge, we could not disable LDAP.

You force your applications to use LDAPS instead of blocking LDAP. Would you destroy the wall if you just want to change a brick at top of it?

Active Directory depends on LDAP and if you try to modify that in a way to clock LDAP, you introduce new problems. So the anser is no.

More information please refer to the following similar issue:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/ff0fc815-69be-4239-8a03-27cfd444d04c/use-ldaps-636-and-disable-ldap-389?forum=winserverDS

Thanks for your support and understanding.

Best Regards,

Vicky

Answer 3

Hi,

Just checking in to see if the information provided was helpful.

Please let us know if you would like further assistance.

Best Regards,
Vicky

Answer 4

Hi,

Welcome to share your current situation if there are any updates.

Please feel free to let us know if you need further assistance.

Best Regards,
Vicky