How to Configure LDAPS Protocol in Active Directory 2026

First, we need to install AD CS to create our internal certificate authority. This will allow us to issue SSL certificates for LDAPS.

Open Server Manager and click Add Roles and Features. Select Role-based or feature-based installation and choose your server from the pool.

On the Server Roles page, check Active Directory Certificate Services:

Install-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools

After installation, you'll see a notification flag in Server Manager. Click it and select Configure Active Directory Certificate Services on the destination server.

In the configuration wizard:

• Use current domain administrator credentials
• Check Certificate Authority on the Role Services page
• Select Enterprise CA (not Standalone)
• Choose Root CA if this is your first CA
• Create a new private key with default settings

Now we'll create a certificate template specifically for LDAPS. This ensures our certificates have the correct properties for domain controller authentication.

Open the Certificate Authority console (certsrv.msc) and expand your CA. Right-click Certificate Templates and select Manage.

In the Certificate Templates Console:

1. Right-click the Computer template and select Duplicate Template
2. On the General tab, set Template display name to LDAPS Template
3. Set validity period to 2 years (or your organization's policy)
4. On the Request Handling tab, check Allow private key to be exported
5. On the Subject Name tab, select Supply in the request
6. On the Security tab, add Domain Controllers group with Read and Enroll permissions

Click OK to create the template.

Back in the CA console, right-click Certificate Templates, select New > Certificate Template to Issue, and choose your LDAPS Template.

On each domain controller, we need to request and install an LDAPS certificate. The certificate must include the DC's FQDN in the subject or SAN field.

On the domain controller, open the Microsoft Management Console:

mmc.exe

Add the Certificates snap-in:

1. File > Add/Remove Snap-in
2. Select Certificates and click Add
3. Choose Computer account and Local computer
4. Click Finish and OK

Navigate to Certificates (Local Computer) > Personal > Certificates. Right-click Certificates and select All Tasks > Request New Certificate.

In the Certificate Enrollment wizard:

1. Click Next twice to reach the certificate selection page
2. Check the box for LDAPS Template
3. Click More information is required link
4. In Subject tab, set Type to Common name and Value to your DC's FQDN (e.g., dc01.contoso.com)
5. In Alternative name tab, set Type to DNS and Value to the same FQDN
6. Click OK and then Enroll

After installing the certificate, Active Directory needs to reload its SSL configuration to start using the new certificate for LDAPS connections.

The cleanest method is to restart the domain controller, but you can also reload the certificate without downtime using PowerShell:

# Stop and start the Active Directory Domain Services
Stop-Service NTDS -Force
Start-Service NTDS

Alternatively, you can restart just the relevant services:

# Restart services that handle LDAP/LDAPS
Restart-Service NTDS -Force
Restart-Service DNS -Force

For a production environment, the safest approach is a scheduled reboot:

shutdown /r /t 300 /c "Reboot for LDAPS certificate activation"

After the restart, check the System event log for any certificate-related errors:

Get-EventLog -LogName System -Source "NTDS General" -Newest 10

Now we'll verify that LDAPS is working correctly using the built-in LDAP administration tool. This is the most reliable way to test LDAPS connectivity.

Open the LDAP administration tool:

ldp.exe

In Ldp.exe:

1. Click Connection > Connect
2. Enter your domain controller's FQDN (e.g., dc01.contoso.com)
3. Set Port to 636
4. Check SSL checkbox
5. Click OK

If successful, you'll see RootDSE information displayed in the right pane, similar to:

ld = ldap_sslinit("dc01.contoso.com", 636, 1);
ldap_set_option(ld,LDAP_OPT_PROTOCOL_VERSION,3);
Connected to dc01.contoso.com.
The connection is established.

Next, authenticate the connection:

1. Click Connection > Bind
2. Leave Domain, User, and Password blank for anonymous bind, or enter credentials
3. Click OK

You can also test from command line using PowerShell:

# Test LDAPS connectivity
$ldapConnection = New-Object System.DirectoryServices.DirectoryEntry("LDAPS://dc01.contoso.com:636")
try {
    $ldapConnection.RefreshCache()
    Write-Host "LDAPS connection successful" -ForegroundColor Green
} catch {
    Write-Host "LDAPS connection failed: $($_.Exception.Message)" -ForegroundColor Red
}

For comprehensive testing, especially in mixed environments, use OpenSSL to validate the certificate chain and encryption strength.

From a Linux machine or Windows with OpenSSL installed:

# Test LDAPS connection and view certificate details
openssl s_client -connect dc01.contoso.com:636 -showcerts

This command will show:

• Certificate chain validation
• Cipher suite being used
• Certificate expiration dates
• Any certificate warnings or errors

For automated testing, create a simple script:

#!/bin/bash
DC_FQDN="dc01.contoso.com"
echo "Testing LDAPS on $DC_FQDN..."

# Test connection
echo "" | openssl s_client -connect $DC_FQDN:636 2>/dev/null
if [ $? -eq 0 ]; then
    echo "LDAPS connection successful"
else
    echo "LDAPS connection failed"
fi

# Check certificate expiration
echo "" | openssl s_client -connect $DC_FQDN:636 2>/dev/null | openssl x509 -noout -dates

You can also test from Windows PowerShell using .NET classes:

# Advanced LDAPS testing with certificate validation
$ldapServer = "dc01.contoso.com"
$ldapPort = 636

try {
    $tcpClient = New-Object System.Net.Sockets.TcpClient($ldapServer, $ldapPort)
    $sslStream = New-Object System.Net.Security.SslStream($tcpClient.GetStream())
    $sslStream.AuthenticateAsClient($ldapServer)
    
    Write-Host "LDAPS connection established" -ForegroundColor Green
    Write-Host "SSL Protocol: $($sslStream.SslProtocol)" -ForegroundColor Yellow
    Write-Host "Cipher Algorithm: $($sslStream.CipherAlgorithm)" -ForegroundColor Yellow
    Write-Host "Is Encrypted: $($sslStream.IsEncrypted)" -ForegroundColor Yellow
    
    $sslStream.Close()
    $tcpClient.Close()
} catch {
    Write-Host "LDAPS test failed: $($_.Exception.Message)" -ForegroundColor Red
}

In a multi-DC environment, each domain controller needs its own LDAPS certificate. Here's how to efficiently deploy certificates across all DCs.

First, create a PowerShell script to automate certificate requests on all DCs:

# Get all domain controllers
$DomainControllers = Get-ADDomainController -Filter *

foreach ($DC in $DomainControllers) {
    $DCName = $DC.HostName
    Write-Host "Processing DC: $DCName" -ForegroundColor Green
    
    # Create remote session
    $Session = New-PSSession -ComputerName $DCName
    
    # Request certificate on remote DC
    Invoke-Command -Session $Session -ScriptBlock {
        # Request certificate using certreq
        $RequestFile = "C:\temp\ldaps_request.inf"
        $CertFile = "C:\temp\ldaps_cert.cer"
        
        # Create certificate request file
        @"
[NewRequest]
Subject = "CN=$env:COMPUTERNAME.$env:USERDNSDOMAIN"
KeyLength = 2048
KeyAlgorithm = RSA
MachineKeySet = TRUE
RequestType = PKCS10

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
"@ | Out-File -FilePath $RequestFile -Encoding ASCII
        
        # Submit request
        certreq -submit -config "CA01\Contoso-CA" $RequestFile $CertFile
        
        # Install certificate
        if (Test-Path $CertFile) {
            certreq -accept $CertFile
            Write-Host "Certificate installed on $env:COMPUTERNAME"
        }
    }
    
    Remove-PSSession $Session
}

For load-balanced environments, ensure certificates include all necessary DNS names:

# Certificate request with multiple DNS names
$RequestTemplate = @"
[NewRequest]
Subject = "CN=ldap.contoso.com"
KeyLength = 2048
KeyAlgorithm = RSA
MachineKeySet = TRUE
RequestType = PKCS10

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=ldap.contoso.com&"
_continue_ = "dns=dc01.contoso.com&"
_continue_ = "dns=dc02.contoso.com&"
"@

After deploying certificates, restart the NTDS service on all DCs:

# Restart NTDS on all domain controllers
$DomainControllers = Get-ADDomainController -Filter *
foreach ($DC in $DomainControllers) {
    Write-Host "Restarting NTDS on $($DC.HostName)" -ForegroundColor Yellow
    Invoke-Command -ComputerName $DC.HostName -ScriptBlock {
        Restart-Service NTDS -Force
    }
}

# Test LDAPS on all DCs
foreach ($DC in $DomainControllers) {
    try {
        $ldap = New-Object System.DirectoryServices.DirectoryEntry("LDAPS://$($DC.HostName):636")
        $ldap.RefreshCache()
        Write-Host "✓ LDAPS working on $($DC.HostName)" -ForegroundColor Green
    } catch {
        Write-Host "✗ LDAPS failed on $($DC.HostName): $($_.Exception.Message)" -ForegroundColor Red
    }
}

Even with proper configuration, LDAPS can have issues. Here are the most common problems and their solutions.

Certificate Validation Errors

If clients get certificate validation errors, check the certificate properties:

# Check certificate details
Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*$env:COMPUTERNAME*"} | Format-List Subject, Issuer, NotAfter, Extensions

Common certificate issues:

• Subject name mismatch: Certificate CN must match the FQDN used to connect
• Expired certificate: Check NotAfter date
• Untrusted CA: Install your internal CA certificate on client machines

LDAP Signing Requirements

Windows may require LDAP signing, causing "Strong Authentication Required" errors. Check the current setting:

# Check LDAP signing requirements
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" -Name "LDAPServerIntegrity"

Values: 0 = None, 1 = Negotiate signing, 2 = Require signing

To modify LDAP signing requirements:

# Set LDAP signing to negotiate (recommended)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" -Name "LDAPServerIntegrity" -Value 1
Restart-Service NTDS -Force

Port and Firewall Issues

Verify LDAPS is listening on port 636:

netstat -an | findstr :636

Check Windows Firewall rules:

# Check if LDAPS port is allowed
Get-NetFirewallRule -DisplayName "*LDAP*" | Get-NetFirewallPortFilter

Create firewall rule if needed:

# Allow LDAPS through firewall
New-NetFirewallRule -DisplayName "LDAPS-In" -Direction Inbound -Protocol TCP -LocalPort 636 -Action Allow

Event Log Analysis

Check for LDAPS-related errors in event logs:

# Check for certificate and LDAPS errors
Get-WinEvent -FilterHashtable @{LogName='System'; ID=1220,1221,1222} -MaxEvents 10
Get-WinEvent -FilterHashtable @{LogName='Directory Service'; ID=1220,1221} -MaxEvents 10

# Comprehensive LDAPS health check
function Test-LDAPS {
    param([string]$DomainController)
    
    Write-Host "Testing LDAPS on $DomainController" -ForegroundColor Cyan
    
    # Test port connectivity
    $portTest = Test-NetConnection -ComputerName $DomainController -Port 636 -WarningAction SilentlyContinue
    if ($portTest.TcpTestSucceeded) {
        Write-Host "✓ Port 636 is accessible" -ForegroundColor Green
    } else {
        Write-Host "✗ Port 636 is not accessible" -ForegroundColor Red
        return
    }
    
    # Test LDAPS connection
    try {
        $ldap = New-Object System.DirectoryServices.DirectoryEntry("LDAPS://$DomainController:636")
        $ldap.RefreshCache()
        Write-Host "✓ LDAPS connection successful" -ForegroundColor Green
    } catch {
        Write-Host "✗ LDAPS connection failed: $($_.Exception.Message)" -ForegroundColor Red
    }
}

# Test all domain controllers
Get-ADDomainController -Filter * | ForEach-Object { Test-LDAPS -DomainController $_.HostName }