LDAP over SSL on a RODC only (how to)

Lutz Rahe 61 Reputation points
2020-12-16T04:10:46.797+00:00

Hi

I have a "basic" question.
Customer has 2x RODC in a separated environment, which is direct connected to the On_Prem domain controllers (all 2016)
Firewall ports are configured and open.
The RODC setup was done without any issues.
Now he wants to enable only on these 2 RODCs LDAP over SSL.
I have searched for an document, where the setup is described, but I didn't find anything matching the environment. Except, when I install the CA direct on the DCs itself (then it seems, that LDAP/S is active immediately)
But here the CA is separated somewhere in the On-Premise network.
How do I request / install an certificate to enable LDAP/S? And which certificate template?
Like this article here?
https://www.miniorange.com/guide-to-setup-ldaps-on-windows-server

Would be great, if someone could kick me into the correct direction

Best,
Lutz

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,367 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,715 questions
{count} votes

Accepted answer
  1. Daisy Zhou 18,701 Reputation points Microsoft Vendor
    2020-12-16T08:54:43.613+00:00

    Hello @Lutz Rahe ,

    Thank you for posting here.

    The following two links might be helpful.

    LDAP over SSL (LDAPS) Certificate
    https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

    Step by Step Guide to Setup LDAPS on Windows Server
    https://learn.microsoft.com/en-us/archive/blogs/microsoftrservertigerteam/step-by-step-guide-to-setup-ldaps-on-windows-server

    If anything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments No comments

4 additional answers

Sort by: Most helpful
  1. Lutz Rahe 61 Reputation points
    2020-12-16T09:02:01.717+00:00

    Hi Daisy

    Thank you for your answer.
    I hve just checked the links, the 2.nd I already have seen. But not used, cause here the CA was installed on the DC itself.
    This scenario is not matching.

    The 1st one looks interesting. I will go through it. When I have questions, I will let you know (and if its working, Ill mark your answer as working solution

    Best,
    Lutz


  2. Lutz Rahe 61 Reputation points
    2020-12-28T04:31:21.787+00:00

    Hi Daisy

    Just a short question
    To try - I have setup a small environment with a DC, a rootCA and a RODC in a different subnet
    I have made a new certificate template (based on the Kerberos Template) in my CA, and said "publish in Active Directory). After that I said new certificate template to issue......so I can see my new template in the CA console
    But when I'm trying to request this from my RODC, I only can see the "standard" templates (Directory Email, Domain Controller, Domain Controller Authentication, Kerberos Authentication), but not my new template
    I have restarted the DC, the CA, the RODC.....nothing. Waiting now for more than 1h
    ???????

    Best
    Lutz

    btw: When I am requestiong a certificate from my DC, then I can see the new template. From my RODC I cannot

    Now Im totally confsed....both I have logged in with the same account

    0 comments No comments

  3. Daisy Zhou 18,701 Reputation points Microsoft Vendor
    2020-12-28T06:26:41.937+00:00

    Hello @Lutz Rahe ,

    Thank you for your update.

    Would you please check the permissions under the Security tab of this certificate you mentioned?
    Check if you have given the Domain Controllers group read and enroll permission.
    51528-ggg1.png

    If so, after I checked, you can give the RODC account Read and Enroll permissions explicitly.

    Because Domain Controllers group has no RODC in it by default.
    51529-ggg.png

    If anything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments No comments

  4. Lutz Rahe 61 Reputation points
    2020-12-28T06:46:23.45+00:00

    Its again me

    It is working now
    The problem was the RODC....he doenst want to replicate
    Reverse DNS settings
    no he can...I can see the template, use it, export the cert and bind it to the AD service

    Best,
    Lutz