LDAP over SSL on a RODC only (how to)

Lutz Rahe 61 Reputation points


I have a "basic" question.
Customer has 2x RODC in a separated environment, which is direct connected to the On_Prem domain controllers (all 2016)
Firewall ports are configured and open.
The RODC setup was done without any issues.
Now he wants to enable only on these 2 RODCs LDAP over SSL.
I have searched for an document, where the setup is described, but I didn't find anything matching the environment. Except, when I install the CA direct on the DCs itself (then it seems, that LDAP/S is active immediately)
But here the CA is separated somewhere in the On-Premise network.
How do I request / install an certificate to enable LDAP/S? And which certificate template?
Like this article here?

Would be great, if someone could kick me into the correct direction


Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,862 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,362 questions
{count} votes

Accepted answer
  1. Daisy Zhou 13,021 Reputation points Microsoft Vendor

    Hello @Lutz Rahe ,

    Thank you for posting here.

    The following two links might be helpful.

    LDAP over SSL (LDAPS) Certificate

    Step by Step Guide to Setup LDAPS on Windows Server

    If anything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou

4 additional answers

Sort by: Most helpful
  1. Lutz Rahe 61 Reputation points

    Hi Daisy

    Thank you for your answer.
    I hve just checked the links, the 2.nd I already have seen. But not used, cause here the CA was installed on the DC itself.
    This scenario is not matching.

    The 1st one looks interesting. I will go through it. When I have questions, I will let you know (and if its working, Ill mark your answer as working solution


  2. Lutz Rahe 61 Reputation points

    Hi Daisy

    Just a short question
    To try - I have setup a small environment with a DC, a rootCA and a RODC in a different subnet
    I have made a new certificate template (based on the Kerberos Template) in my CA, and said "publish in Active Directory). After that I said new certificate template to issue......so I can see my new template in the CA console
    But when I'm trying to request this from my RODC, I only can see the "standard" templates (Directory Email, Domain Controller, Domain Controller Authentication, Kerberos Authentication), but not my new template
    I have restarted the DC, the CA, the RODC.....nothing. Waiting now for more than 1h


    btw: When I am requestiong a certificate from my DC, then I can see the new template. From my RODC I cannot

    Now Im totally confsed....both I have logged in with the same account

  3. Daisy Zhou 13,021 Reputation points Microsoft Vendor

    Hello @Lutz Rahe ,

    Thank you for your update.

    Would you please check the permissions under the Security tab of this certificate you mentioned?
    Check if you have given the Domain Controllers group read and enroll permission.

    If so, after I checked, you can give the RODC account Read and Enroll permissions explicitly.

    Because Domain Controllers group has no RODC in it by default.

    If anything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou

  4. Lutz Rahe 61 Reputation points

    Its again me

    It is working now
    The problem was the RODC....he doenst want to replicate
    Reverse DNS settings
    no he can...I can see the template, use it, export the cert and bind it to the AD service