How to Configure LDAP on Windows Server 2012 R2
Lightweight Directory Access Protocol (LDAP) is the standard protocol used to access and manage directory services, including Active Directory Domain Services. Applications, scripts, and third-party systems use LDAP to search for users, authenticate accounts, and read or modify directory objects. Windows Server 2012 R2 supports LDAP on port 389 (unencrypted/StartTLS) and LDAPS (LDAP over SSL) on port 636. Configuring LDAP correctly involves enabling SSL/TLS, managing LDAP signing and channel binding, and controlling LDAP query policies for performance and security. This guide covers LDAP configuration in depth.
Prerequisites
LDAP configuration requires Domain Admin rights. For LDAPS, a certificate signed by a CA trusted by your clients must be installed on each domain controller. The Active Directory Domain Services role must be installed. For certificate operations, the AD CS or a third-party PKI must be available.
Import-Module ActiveDirectoryTesting Basic LDAP Connectivity
Before configuring LDAP, verify basic connectivity to your domain controller:
# Test LDAP port connectivity
Test-NetConnection -ComputerName "DC-LON-01.contoso.com" -Port 389
Test-NetConnection -ComputerName "DC-LON-01.contoso.com" -Port 636
# Simple LDAP query using .NET (tests connectivity and authentication)
$searcher = New-Object System.DirectoryServices.DirectorySearcher
$searcher.SearchRoot = "LDAP://DC=contoso,DC=com"
$searcher.Filter = "(sAMAccountName=Administrator)"
$searcher.FindOne()Enabling LDAP over SSL (LDAPS)
LDAP over SSL (port 636) encrypts the entire LDAP session from the start. To enable LDAPS, a certificate must be installed on the domain controller in the Local Computer > Personal certificate store with the Server Authentication EKU and a subject or SAN matching the DC’s FQDN.
If an Enterprise CA is deployed, domain controllers automatically enroll for a Domain Controller certificate, which enables LDAPS automatically. Verify:
# Check for a certificate suitable for LDAPS on the DC
Get-ChildItem -Path "Cert:LocalMachineMy" | Where-Object {
$_.EnhancedKeyUsageList.ObjectId -contains "1.3.6.1.5.5.7.3.1" # Server Auth EKU
} | Select-Object Subject, Thumbprint, NotAfter, Issuer# Request a certificate manually from Enterprise CA for LDAPS
# If auto-enrollment is not configured, request via MMC or certreq
# Test LDAPS connectivity after certificate installation
# Use ldp.exe (part of AD DS Tools) to connect to port 636 with SSL
# Or test via PowerShell:
$ldapConnection = New-Object System.DirectoryServices.Protocols.LdapConnection(
[System.DirectoryServices.Protocols.LdapDirectoryIdentifier]("DC-LON-01.contoso.com", 636),
[System.Net.NetworkCredential]::new("contosoadministrator","Password"),
[System.DirectoryServices.Protocols.AuthType]::Basic
)
$ldapConnection.SessionOptions.SecureSocketLayer = $true
$ldapConnection.Bind()
Write-Host "LDAPS connection successful"Configuring LDAP Signing Requirements
LDAP signing requires that LDAP traffic be digitally signed, preventing man-in-the-middle attacks. It is enforced through Group Policy:
# Configure LDAP signing on Domain Controllers (GPO setting)
# Path: Computer Configuration > Windows Settings > Security Settings > Local Policies
# Security Options > Domain controller: LDAP server signing requirements
# Value: Require signing
# Registry equivalent
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesNTDSParameters" `
-Name "LDAPServerIntegrity" -Value 2 -Type DWord
# 0 = None, 1 = Require Signing, 2 = Require Signing
# Configure LDAP client signing (on member servers and workstations)
# Computer Configuration > Windows Settings > Security Settings > Local Policies
# Security Options > Network security: LDAP client signing requirements = Require signing
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesldap" `
-Name "LDAPClientIntegrity" -Value 1 -Type DWordConfiguring LDAP Channel Binding
LDAP channel binding (introduced with the March 2020 LDAP hardening update for Windows Server 2019 and back-ported via registry to Windows Server 2012 R2) binds the LDAP authentication to the TLS session, preventing relay attacks even over TLS:
# Enable LDAP channel binding audit mode first
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesNTDSParameters" `
-Name "LdapEnforceChannelBinding" -Value 1 -Type DWord
# 0 = Never, 1 = When supported (audit mode), 2 = Always required
# Check LDAP channel binding events in the Directory Service log
Get-WinEvent -LogName "Directory Service" |
Where-Object {$_.Id -in @(3039,3040,3041)} |
Select-Object TimeCreated, Id, Message | Format-ListConfiguring LDAP Query Policies
LDAP query policies control resource limits for LDAP queries to protect DC performance. The default query policy is stored in CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,DC=com:
# View current LDAP policy settings
Get-ADObject -SearchBase "CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com" `
-Filter * -Properties lDAPAdminLimits |
Select-Object -ExpandProperty lDAPAdminLimits
# Key policy attributes:
# MaxPageSize: max objects per page (default 1000)
# MaxQueryDuration: max query execution time in seconds (default 120)
# MaxResultSetSize: max size of result set in bytes (default 262144)
# MaxActiveQueries: max concurrent active queries (default 20)
# MaxConnIdleTime: idle connection timeout (default 900 seconds)
# InitRecvTimeout: initial receive timeout (default 120)
# MaxConnections: max simultaneous connections (default 5000)# Modify MaxPageSize to support larger result sets for reporting applications
$queryPolicy = Get-ADObject `
-SearchBase "CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com" `
-Filter {Name -eq "Default Query Policy"} -Properties lDAPAdminLimits
$newLimits = $queryPolicy.lDAPAdminLimits | Where-Object {$_ -notlike "MaxPageSize*"}
$newLimits += "MaxPageSize=5000"
Set-ADObject -Identity $queryPolicy.DistinguishedName `
-Replace @{lDAPAdminLimits = $newLimits}Searching Active Directory via LDAP
Understanding LDAP filter syntax is essential for effective AD queries. LDAP filters use a prefix notation with attributes, operators, and values:
# LDAP filter examples using DirectorySearcher
$searcher = New-Object System.DirectoryServices.DirectorySearcher("LDAP://DC=contoso,DC=com")
# Find all enabled users
$searcher.Filter = "(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
$searcher.PageSize = 1000
$results = $searcher.FindAll()
Write-Host "Found $($results.Count) enabled users"
# Find users in a specific OU
$searcher.SearchRoot = [ADSI]"LDAP://OU=Finance,OU=Contoso,DC=contoso,DC=com"
$searcher.Filter = "(objectClass=user)"
$searcher.PropertiesToLoad.AddRange(@("sAMAccountName","mail","displayName"))
$results = $searcher.FindAll()
foreach ($result in $results) {
Write-Host "$($result.Properties['samaccountname'][0]) - $($result.Properties['mail'][0])"
}Monitoring LDAP Performance
# Monitor LDAP performance counters
Get-Counter -Counter @(
"NTDSLDAP Client Sessions",
"NTDSLDAP Searches/sec",
"NTDSLDAP Successful Binds/sec",
"NTDSLDAP UDP operations/sec"
) -SampleInterval 5 -MaxSamples 12 |
Select-Object -ExpandProperty CounterSamples |
Select-Object Path, CookedValueSummary
LDAP configuration on Windows Server 2012 R2 encompasses SSL/TLS setup for encrypted connections, signing requirements to prevent interception, channel binding for relay attack prevention, and query policy tuning for performance. Enable LDAPS using domain controller certificates, enforce LDAP signing via Group Policy, and enable channel binding in audit mode before enforcing it. Tune LDAP query policies based on application requirements — increasing MaxPageSize for reporting tools while ensuring query duration limits protect DC performance. Regular monitoring of LDAP connection counts and search rates helps identify problematic applications before they degrade directory performance.
