!!! Updated !!!
Thanks to RossUA
In a certain way i agree with BBCMicro. It takes a while to understand what an admin have to do to prepare for the update. I'm wondering that MS will enforce LDAP signing which could cause applications stop working. But it's true, LDAP without signing should be switched off long ago.
My suggestion for this issue (check it yourself !):
- Ignore LDAP channel binding token (LDAP CBT) stuff: The setting in March 2020 update will be "compatibility mode".
- With March 2020 update, the operating system itself will change the interpretation of the "ldapserverintegrity" registry key value.
- Without the March 2020 update, "not defined", "0" and "1" means "Negotiate"; "2" means "Require Signing"
- With the March 2020 update, "0" means "Negotiate"; "not defined", "1" and "2" means "Require Signing"
- "0" can not be set via GPO security setting "LDAP server signing requirements" ("None" = "1", "Require signing" = 2)
- If LDAP server is set to require signing, the LDAP client setting of all clients and the DCs itself must be set to require signing.
- With rsop.msc or gpresult, check the DC effective settings for "Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain Controller: LDAP server signing requirements"
- If "Require signature" => all done
- If "None"
- Start analyzing LDAP clients NOW
- Check DC Eventlogs for Event ID 2887 (once per 24 hours); it indicates that there are unsigned requests
- Start with temporary enabling NTDS/Diagnostics: LDAP Interface Events:DWORD:2 on a few DCs
- Use Powershell to analyze the DC events 2889 (see Alans post 12-16-2019 05:59 AM as template)
- Create a new GPO "DC Pref LDAP Signing None" with Preference/Registry "ldapserverintegrity" set to "0"
- Link the new GPO to the OU "Domain Controllers" (or the OU where the DC computer objects reside) with Link Order "1"
- Do "gpupdate /force" two times on a DC and check that the new GPO is applied
- Check that all DCs has "ldapserverintegrity" set to "0"
- ==> prepared for the March 2020 update, Negotiate enabled
- If ready to enable LDAP signing
- Check that the original DDCP (or your own DDCP) has "LDAP server signing requirements" set to "Require signing"
- Check that the original DDCP (or your own DDCP) has "Network security: LDAP client signing requirements" set to "Require signing"
- Configure GPOs for Domain members to "Require signing" (Network security: LDAP client signing requirements)
- Check that all clients works wih LDAP signing (Event 2887)
- Disable the link for GPO "DC Pref LDAP Signing None"
- Do a "gpupdate /force" on an DC and check that the LDAP server signing has changed to "Require signing"
- Check that all DCs has "ldapserverintegrity" set to "2"
- Check for problems; rollback with linking the GPO "DC Pref LDAP Signing None" with Link Order "1"
- After a couple of weeks, if all works fine, delete the GPO "DC Pref LDAP Signing None"
- After March 2020 update
- Check to update the Central Store; LDAP CBT settings may become available for configuring in GPMC
- decide whether LDAP CBT compatibility is secure enough; otherwise use LDAP Interface Events to analyze DS events 3039,3040 and take further action
Don't forget AD LDS: LDAP server signing have to be configured for every instance (https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server-2008) By default, for Active Directory Lightweight Directory Services (AD LDS), the registry key is not available. Therefore, you must create a LDAPServerIntegrity registry entry of the REG_DWORD type under the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<InstanceName>\Parameters
Microsoft