event id 3041 on Domain Controllers

abraham flores 241 Reputation points
2022-08-29T18:17:40.733+00:00

Hi I have a couple of Windows Server 2019 Domain Controllers where the 3041 event ID is showing: ![235770-image.png][1] I found this vulnerability, but to me is not totally clear, I will try to explain it (https://support.microsoft.com/en-us/topic/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows-kb4520412-ef185fb8-00f7-167d-744c-f299a66fc00a#bkmk_table2): - The article recommends to install the March, 2020 updates on the Domain Controllers, but I cannot get them, I tried to download them from this web site: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-8563 - What should I do on Windows clients machines? - Registry settings such as LDAPServerIntegrity and LdapEnforceChannelBinding, are they need to be modified? Thank you in advance. [1]: /api/attachments/235770-image.png?platform=QnA

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,538 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,062 questions
0 comments No comments
{count} vote

Accepted answer
  1. Dave Patrick 426.3K Reputation points MVP
    2022-08-29T18:49:42.017+00:00

    The article recommends to install the March, 2020 updates on the Domain Controllers, but I cannot get them

    That one is long ago superseded. If you patch them with the latest cumulative update then it should be covered (included).

    --please don't forget to upvote and Accept as answer if the reply is helpful--


1 additional answer

Sort by: Most helpful
  1. abraham flores 241 Reputation points
    2022-09-07T21:59:30.613+00:00

    Yesterday I installed a 2208 cumulative update (KB5016690) on one DC, after the reboot, there were some warnings in the event viewer: 6038 - LsaSrv, 2886 – ActiveDirectory_DomainService, and 3041 LDAP Interface, today just the event ID 3041 showed.

    I looked it up on internet, and for the event ID 2886, there is a policy setting that people recommend: “Computer Configuration>Policies>Windows Settings>Security Settings>Local Policies>Security Options.

    Right-click on Domain Controller: LDAP Server Signing Requirements and select properties.

    Check off Define this Policy Setting.

    Select Require Signing in the drop-down box"

    I am not totally sure if this going to help because this were mainly applied on Windows Server 2008 operating system, there is nothing about Windows Server 2019. I am also not sure why the event ID 3041 is still showing. Is there any other recommendation?

    Regards,
    Abraham.