Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
Lightweight Directory Access Protocol (LDAP) communications between client computers and server computers can be encrypted with LDAP over Secure Sockets Layer (SSL) connections. You can configure Active Directory Domain Services (AD DS) and Active Directory
Lightweight Directory Services (AD LDS) to support LDAP over SSL.
Event ID 1220 is logged on a domain controller when client computers attempt to make an LDAP-over-SSL connection to the directory when SSL connections are not enabled on the directory. If you want to configure a domain controller or an AD LDS server to support
SSL connections, you must provide a certificate for the AD DS or AD LDS directory to use. If you do not want to support LDAP over SSL connections on the directory, identify the client computers that are attempting to make such connections so that you can resolve
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Perform the following procedure on a domain controller or a computer that has RSAT installed. See Installing Remote Server Administration Tools
for AD DS (http://go.microsoft.com/fwlink/?LinkId=144909).
If you want to configure your domain controllers to support SSL connections, you can install and configure the Active Directory Certificate Services (AD CS) role on a domain controller or you can import a certificate from a trusted certification authority
If you install the AD CS role and specify the Setup Type as
Enterprise on a domain controller, all domain controllers in the forest will be configured automatically to accept LDAP over SSL.
Warning: In most cases, you should not install a CA on a domain controller! For more information, see
PKI Design Brief Overview.
If you prefer to use a certificate from a CA that is not installed on a domain controller, you must import a certificate with an intended purpose of server authentication from a trusted CA into the AD DS personal store.
To import a certificate into the AD DS personal store:
If you need to configure AD LDS to support LDAP over SSL connections, follow the instructions in Appendix A: Configuring LDAP over SSL Requirements for AD LDS (http://go.microsoft.com/?linkid=9645086).
Membership in Domain Users, or equivalent, is the minimum required to complete this procedure. Review details about default group memberships at
http://go.microsoft.com/fwlink/?LinkID=150761. Perform the following procedure on a domain controller or a computer that has Remote Server Administration Tools (RSAT) installed. For
more information about RSAT, see Installing Remote Server Administration Tools for AD DS (http://go.microsoft.com/fwlink/?LinkId=144909).
To confirm that LDAP over SSL is configured successfully: