- MS AD 2008
- Server 2008 CA server (Not a DC)
- This way won’t force a connection so it will allow both SSL & non-SSL connections. (Which is what I wanted)
- Make sure to edit the template before pushing out to the domain controllers to edit how long the certificate is valid for.
- Fails on RO DCs.
- Log onto the CA server and open up the server manager. Under Roles > Active Directory Certificate Services > Certificate Templates, you should see a template named “Domain Controller Authentication”
- Then expand the CA server > Certificate Templates, you should see that same template listed. If it is then its enabled, if not then you would have to enable the Domain Controller Authentication Certificate template.
- Under the CA server right-click on Certificate Templates > New > Certificate Template to Issue, select “Domain Controller Authentication” and click OK.
- Thats it for the CA server!
Domain Controllers (Must do the following steps on every DC in your environment, Root is exceptional)
- Log onto a domain controller and create an MMC with the “Certificates” on the “Computer account” snap-in.
- Go to Certificates (Local Computer) > Personal > right-click Certficates > All Tasks > Request New Certificate…
- Next screen, select “Active Directory Enrollment Policy”, then “Next”.
- On the new prompt, click Next. Select “Domain Controller” and “Domain Controller Authentication”, click “Enroll”
- Once the status shows “Succeeded”, your set to test!!
- Open “LDP” as an administrator
- Connect to the Domain Controller you were just working on. Connect to port “636” and only leave “SSL” checked.
- If you get the error “Cannot Open Connection”, SSL has not been configured to work with LDAP and you need to go back to the drawing board.
- Once connected, go to File > Bind, bind with a domain admin account. Leave the rest of the settings on default and click OK.
- If the output shows your domain and user account, congrats LDAP now has the option to work with SSL! (Do this whole test with every DC you set up)