How to Configure LDAP on Windows Server 2016

How to Configure Windows Server 2016 LDAP

Lightweight Directory Access Protocol (LDAP) is the standard protocol used to query and modify entries in Active Directory on Windows Server 2016. Applications, scripts, and management tools communicate with Active Directory over LDAP on port 389 (unencrypted or with STARTTLS) and LDAPS on port 636 (LDAP over SSL/TLS). Properly configuring LDAP security, including enforcing LDAP signing and enabling LDAPS, is essential for protecting directory queries and modifications from interception and tampering.

This tutorial covers configuring LDAP server settings, enforcing LDAP signing, enabling LDAP over SSL, and using LDAP queries to manage Active Directory from the command line and PowerShell.

Step 1: Understand LDAP Ports and Protocols

Active Directory listens on the following LDAP ports by default:

389  - LDAP (plain text or STARTTLS)
636  - LDAPS (LDAP over SSL/TLS)
3268 - Global Catalog LDAP
3269 - Global Catalog LDAPS

Verify that the domain controller is listening on these ports:

netstat -an | findstr ":389 |:636 |:3268 |:3269 "

Step 2: Enforce LDAP Signing

LDAP signing ensures that LDAP traffic has not been tampered with in transit. Without signing, man-in-the-middle attacks can modify LDAP responses. Configure LDAP signing requirements via Group Policy on domain controllers:

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Domain controller: LDAP server signing requirements

Set this to Require signing. Also configure the client-side policy to require signing when communicating with LDAP servers:

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network security: LDAP client signing requirements

Set this to Require signing. Apply the policy and force a refresh:

gpupdate /force

Step 3: Enable LDAP Channel Binding

LDAP channel binding prevents NTLM relay attacks against LDAP by binding the LDAP session to the underlying TLS channel. This setting was made available in Windows Server 2016 via a registry key:

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesNTDSParameters" `
    -Name "LdapEnforceChannelBinding" -Value 2 -Type DWord

Valid values are 0 (disabled), 1 (when supported), and 2 (always required). Set to 2 for maximum security.

Step 4: Enable LDAPS with a Certificate

To enable LDAPS, the domain controller needs a valid SSL certificate with the server’s fully qualified domain name in the Subject or Subject Alternative Name. If you have an internal CA, request a certificate using the Domain Controller certificate template.

Verify that a valid certificate is installed in the Local Computer Personal certificate store:

Get-ChildItem -Path Cert:LocalMachineMy | 
Where-Object { $_.Subject -like "*yourdomain*" } |
Select-Object Subject, Thumbprint, NotAfter

Once a valid certificate is present, LDAPS is enabled automatically. Test LDAPS connectivity using the ldp.exe utility or PowerShell:

$connection = [System.DirectoryServices.DirectoryEntry]::new(
    "LDAP://dc01.yourdomain.com:636"
)
$connection.Name

Step 5: Perform LDAP Queries with ldifde

The ldifde command-line tool supports exporting and importing Active Directory data using LDAP. Export all user objects to an LDIF file:

ldifde -f C:Exportusers.ldf -s dc01.yourdomain.com -d "DC=yourdomain,DC=com" -r "(objectClass=user)"

Import objects from an LDIF file:

ldifde -i -f C:Importnewusers.ldf -s dc01.yourdomain.com

Step 6: Query Active Directory with PowerShell LDAP

Use the DirectorySearcher class to perform LDAP queries from PowerShell:

$root = New-Object System.DirectoryServices.DirectoryEntry("LDAP://DC=yourdomain,DC=com")
$searcher = New-Object System.DirectoryServices.DirectorySearcher($root)
$searcher.Filter = "(&(objectClass=user)(objectCategory=person)(enabled=TRUE))"
$searcher.PropertiesToLoad.AddRange(@("samAccountName","displayName","mail"))
$results = $searcher.FindAll()
foreach ($result in $results) {
    [PSCustomObject]@{
        Username = $result.Properties["samaccountname"][0]
        DisplayName = $result.Properties["displayname"][0]
        Email = $result.Properties["mail"][0]
    }
}

Step 7: Audit LDAP Events

Enable LDAP interface events logging to capture LDAP queries and binding attempts. Configure the logging level in the registry:

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesNTDSDiagnostics" `
    -Name "15 Field Engineering" -Value 5 -Type DWord

LDAP diagnostic events are written to the Directory Service event log. After enabling, monitor for unsigned LDAP bind attempts using Event ID 2887 and 2889:

Get-WinEvent -LogName "Directory Service" | 
Where-Object { $_.Id -in 2887, 2889 } |
Select-Object TimeCreated, Id, Message | Format-List

Configuring LDAP signing, channel binding, and LDAPS on Windows Server 2016 is a critical step in hardening your Active Directory environment. These settings protect directory communications from interception and relay attacks while ensuring that all LDAP clients communicate securely with domain controllers.