LDAPS protocol.

Doria 1,241 Reputation points

Hi everyone!

After enabling LDAPS in the domain (DCs), should I define any GPO rules to tell the clients computers to only use LDAPS? Or is that automatic? I am asking because we are planning to block LDAP protocol traffic on the firewall between networks segments.

Hope I was clear enough.


Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,669 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Fan Fan 15,276 Reputation points Microsoft Vendor


    LDAPS is automatically enabled when you install an Enterprise Root CA on a Domain Controller. If you install the AD-CS role and specify the type of setup as “Enterprise” on a DC, all DCs in the forest will automatically be configured to accept LDAPS.

    If you want to secure the connection, you may consider configuring the server to reject Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification) or to reject LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. Policies for your reference:

    Policy Setting: "Domain controller: LDAP server channel binding token requirements"
    Policy Setting: "Domain controller: LDAP server signing requirements"


    Best Regards,

    0 comments No comments