How To Enable LDAPS on an AD Domain Controller
- 10 Feb 2025
- 3 Minutes to read
- Print
- DarkLight
- PDF
How To Enable LDAPS on an AD Domain Controller
- Updated on 10 Feb 2025
- 3 Minutes to read
- Print
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Before you Begin
Before you begin
- Read this document in its entirety
- Follow your internal change control policies and procedures
- Consider any potential issues that may arise
- Establish a back-out plan
Configure Certificate Authority on the Domain Controller
Note
This step is only required if the Domain Controller does not already have Certificate Authority configure.
To validate: On the Domain Controller click on Start > Server Manager. On the left hand navigator you will see AD CS.
To validate: On the Domain Controller click on Start > Server Manager. On the left hand navigator you will see AD CS.
Add the Active Directory Certificate Services Role
- Open Server Manager (Start > Server Manager) and Click Add Roles and Features.
- After the Add Roles and Features wizard opens, click Next.
- Click Role-based or feature-based installation, click Next
- Choose Select a Server from the server pool, click Next
- Check the box next to Active Directory Certificate Services and a confirmation window will appear. Click Add Feature. Then Click Next.
- Do not select any features on the Features list. Click Next.
- Now you will walk through the Active Directory Certificate Services Install.
Configure the Certificate Authority
On the Active Directory Certificate Service page, please read the things to note:
Things to Note
The name and domain settings of this computer cannot be changed after a certificate authority (CA) has been installed. If you want to change the computer name, join a domain, or promote this server to a domain controller, complete these changes before installing the CA. For more information, see certificate authority naming.
- After clicking next, select Certificate Authority, then click Next.
- On the Confirm installation selections screen, check the box Restart the Destination Server Automatically if Required. Then click Install.On the confirm installation selections, please first read the information provided and validate the installations are approved for your organization. Additionally, consider if an outage window is required for the required restart.
- After the installation completes, click on Configure Active Directory Certificate Services on the destination server.
- On the Credentials step, you can choose to use the credentials of the current logged in user, or change them. Click Next.
- Check Certificate Authority on the Role Services page. Click Next.
- Choose Enterprise CA. Click Next. Before clicking nextPlease consider the implications of creating an Enterprise Certificate Authority and work with your team to validate this is an appropriate option for your organization.
.png?sv=2022-11-02&spr=https&st=2025-02-20T19%3A11%3A22Z&se=2025-02-20T19%3A21%3A22Z&sr=c&sp=r&sig=E40DTplUOXV%2B1yJK8zIIDongiNTcAfn0oHToFEiqYLE%3D)
- If this is the first Certificate Authority in your Active Directory Domain then select Root CA, otherwise, work with your team to determine if Root or Subordinate CA makes sense for your organization. Our environment will be using Root CA.
If setting this domain controller up as a Subordinate CA, then stop here, work with your Server team, then skip to create the certificate template. - Select Create a New Private Key. Click Next.
- On the Cryptography settings you need to select the hash algorithm that complies with your security policies. For this demonstration, we will use SHA256.
- Specify the Common Name, Distinguished Name Suffix, and Distinguished Name of the Certificate Authority in accordance with your company naming conventions.
- Keep the validity period set to 5 years. Click Next.
- Keep the database locations as their default locations. Click Next.
- Validate the values, the click Configure.
- After is completes, click Close. Then Close out of the Add Roles and Features Wizard.
.png?sv=2022-11-02&spr=https&st=2025-02-20T19%3A11%3A22Z&se=2025-02-20T19%3A21%3A22Z&sr=c&sp=r&sig=E40DTplUOXV%2B1yJK8zIIDongiNTcAfn0oHToFEiqYLE%3D)
Create the Certificate Template
- Type Windows Key + r to open Run, then type certtmpl.msc and hit enter.
- Locate Kerberos Authentication, right click and click Duplicate Template
- Click General at the top and change the Template Display Name to LDAPS Template, then check Publish Certificate in Active Directory
- Click Request Handling and check the box next to Allow Private Key to be Exported.
- Click Subject Name and ensure DNS Name is the only item checked under Build from this Active Directory Information. Then click Apply and OK.
Issue the Certificate Template
- Click Start then type Certification Authority
- Expand the Server --> Right click on Certificate Templates-->Click New -->Click Certificate Template to Issue
- Scroll through the certificate templates until you reach LDAPS Template. Click it, then click OK.
Request and Export Certificate
- Type windows key + r --> mmc --> file --> add / remove snap-in --> select certificates --> Click Add
- Select Computer Account --> Next
- Ensure Local Computer is selected --> Finish
- After the wizard closes and you see Add or Remove Snap-ins --> Click OK
- Expand Certificates --> Expand Personal --> Right click on Certificates --> Click All Tasks --> Click Request New Certificate
- Click Next
- Ensure Active Directory Enrollment Policy is Highlighted --> Click Next
- Scroll until you find the LDAPS Template --> Check the box --> Click Enroll
- If the Certificate installs successfully, click Finish
Now you are ready to begin connecting Active Directory.
If you have any problems, contact your customer success team. You can also get in touch with our general support via email, open a support ticket. Our general support team is available Monday - Friday from 8:00 AM - 6:30 PM CST.
Was this article helpful?
