September 2003
Intermediate to advanced
624 pages
15h 49m
English
Content preview from Active Directory CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
14.1. Enabling SSL/TLS
Problem
You want to enable SSL/TLS access to your domain controllers so clients can encrypt LDAP traffic to the servers.
Solution
Using a graphical user interface
Open the Control Panel on a domain controller.
Open the Add or Remove Programs applet.
Click on Add/Remove Windows Components.
Check the box beside Certificate Services and click Yes to verify.
Click Next.
Select the type of authority you want the domain controller to be (select Enterprise root CA if you are unsure) and click Next.
Type the common name for the CA, select a validity period, and click Next.
Enter the location for certificate database and logs and click Next.
After the installation completes, click Finish.
Now open the Domain Controller Security Policy GPO.
Navigate to Computer Configuration → Windows Settings → Security Settings → Public Key Policies.
Right-click on Automatic Certificate Request Settings and select New → Automatic Certificate Request.
Click Next.
Under Certificate Templates, click on Domain Controller and click Next.
Click Finish.
Right-click on Automatic Certificate Request Settings select New → Automatic Certificate Request.
Click Next.
Under Certificate Templates, click on Computer and click Next.
Click Finish.
Discussion
After domain controllers obtain certificates, they open up ports 636 and 3289. Port 636 is for LDAP over SSL/TLS and port 3289 is used for the global catalog over SSL/TLS. See Recipe 14.2 for more information on how to query a domain controller using SSL/TLS.