1

I am about to install the role Active Directory Certification Authority on a Windows Server 2012 R2 that is already our Active Directory server.

The reason is, that I want to enable LDAPS following https://docs.moodle.org/310/en/Active_Directory#MS_Active_Directory_.2B_SSL

So I wonder what can go wrong?

  • Will the Active Directory stop to accept unencrypted connections?
  • Will established certificates stop working?
  • Will other servers (e.g. domain controllers) that work fine without encryption try LDAPS and fail because they don't trust the certificate?
  • Will I be no longer able to log in and fix it, because the VPN relies on LDAP?
Leonard Michlmayr
  • 113
  • 3

1 Answers1

2

Installing a full fledged certificate authority in order to sign a single certificate for your domain controller seems like a lot of effort for not a lot of gain. If all you need is LDAPS on a single domain controller, your time may be better spent just purchasing 3rd party certificate (there CAs that offer free certificates as well) assuming your domain name is one that you actually own and not something like corp.local. Here are a couple docs that can help:

If you can't use a public CA for whatever reason, I'd still probably opt for something like New-SelfSignedCertificate rather than installing ADCS for a single cert.

To answer your questions.

  • No, AD will not stop accepting unencrypted connections after adding a certificate. The TLS encrypted services run on different ports.
  • I'm not sure what you mean exactly by "established certificates". But generally no, installing ADCS doesn't mess with existing cert stores other than to add the new root CA certificate as trusted.
  • Other servers will fail to connect if they have been configured to use TLS and have not been configured to trust the CA root certificate (unless they've also been configured to disable certificate validation which is generally a bad idea). (This is another benefit of a public certificate which is that it will already be trusted by clients)
  • Your VPN is unlikely to start using LDAPS for authentication unless you configure it to do so. But once you do, yes. VPN authentication will be dependent on properly functioning TLS.
Ryan Bolger
  • 16,472
  • 3
  • 40
  • 59
  • Yes, it is corp.local, how did you guess? I am completely fine with a self signed certificate, as there is only one client to use it. I just need a way to make ldap listen on port 636 and present a certificate. – Leonard Michlmayr Feb 02 '21 at 18:14
  • It's unfortunately pretty common. But for future reference, https://serverfault.com/questions/76715/windows-active-directory-naming-best-practices – Ryan Bolger Feb 02 '21 at 18:29