Password Propagation service certifcate requirements install. (4381953)

Enable LDAPS on Active Directory by Installing Microsoft AD Certificate Services (AD CS)

LDAPS (LDAP over SSL/TLS, TCP 636) requires each Domain Controller to possess a valid Server Authentication certificate trusted by the domain. This solution enables LDAPS by installing Microsoft Active Directory Certificate Services (AD CS) and issuing LDAPS-compatible certificates to all Domain Controllers.

This approach is recommended for environments using Quest products such as Migrator Pro for Active Directory, Directory Sync Pro, Password Propagation Service (PPS), On Demand Migration agents, and other LDAP-based integrations.

Step 1 — Install the AD CS Role

Install the Certification Authority role on a domain-joined server. A member server is preferred, but installation on a Domain Controller is supported.

Step 2 — Configure Active Directory Certificate Services

1. Open Server Manager

2. Select Configure Active Directory Certificate Services

3. Select role services:

   • Certification Authority

4. Configuration settings:

   • Enterprise CA

   • Root CA

   • Create a new private key

   • Cryptography:

     • Provider: RSA

     • Hash algorithm: SHA256

     • Key length: 2048 bits or higher

5. Accept default CA name and validity period

6. Complete the configuration

This creates an Enterprise Root CA automatically trusted by all domain members.

Step 3 — Create and Publish an LDAPS Certificate Template

1. Open Certification Authority

2. Right-click Certificate Templates → Manage

3. Duplicate the Computer template

4. Configure the duplicated template:

   • Template Name: Domain Controller LDAPS

   • Extensions:

     • Ensure Server Authentication EKU is present

   • Subject Name:

     • Select Supply in the request

   • Security:

     • Grant Domain Controllers:

       • Read

       • Enroll

5. Save the template

6. Back in Certification Authority:

   • Right-click Certificate Templates

   • Select New → Certificate Template to Issue

   • Select Domain Controller LDAPS

Step 4 — Enroll LDAPS Certificates on Domain Controllers

On each Domain Controller:

1. Force Group Policy refresh:

    

   gpupdate /force

2. Allow several minutes for auto-enrollment to occur
   (manual enrollment via Certificates MMC may be used if auto-enrollment is disabled)

Verify the issued certificate:

• Location: Local Computer → Personal → Certificates

• Certificate must:

  • Have a private key

  • Include Server Authentication EKU

  • Contain the DC’s FQDN in the Subject or SAN

Step 5 — Restart Active Directory Domain Services

LDAPS is initialized only when AD DS starts.

Alternatively, reboot the Domain Controller.

Step 6 — Validate LDAPS Functionality

Confirm LDAPS Port

Expected output:

Test Using LDP.exe

1. Run ldp.exe

2. Connection → Connect

3. Server: DC FQDN

4. Port: 636

5. Check SSL

6. Connect and Bind

A successful SSL bind confirms LDAPS is operational.

Step 7 — Firewall Validation

Ensure TCP 636 is allowed:

• Windows Defender Firewall on Domain Controllers

• Network firewalls

• Cloud NSGs (if applicable)

Quest-Specific Notes

• Quest products require LDAPS to bind using the Domain Controller FQDN, not IP address

• Ensure the issuing CA root certificate is trusted by:

  • Quest Migration servers

  • Directory Sync servers

  • Password Propagation Service hosts

• Once LDAPS is available, Quest services can safely disable unsecured LDAP (TCP 389)

Common Issues and Resolution

Result

LDAPS is now enabled and available on all Domain Controllers using certificates issued by the internal Enterprise CA. Secure LDAP connections can be established using: