Forum Discussion
Create and Import Certificate for all server Child AD
Hi ThanhNha0903,
In regards to your questions about LDAPS configuration for Active Directory, here are some recommendations:
1. Certificate Option:
For the certificate, it is generally recommended to use a wildcard certificate (*.contoso.contosocorp.vn) instead of listing all server hostnames individually. This simplifies certificate management and avoids the need to update the certificate whenever a new server is added or removed.
2. Certificate Import:
The certificate should be imported to the NTDS Service's Personal certificate store. This ensures that the certificate is used by the Active Directory Domain Services (AD DS) service for secure LDAP communication. Importing the certificate to the Computer store would only make it available for general machine authentication, not specifically for LDAPS.
Additional Considerations:
- Ensure that the certificate is issued by a trusted Certificate Authority (CA).
- Verify that the certificate's validity period is sufficient for your needs.
- Distribute the certificate to all domain controllers in the child domain.
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
Hi ThanhNha0903,
In regards to your questions about LDAPS configuration for Active Directory, here are some recommendations:
1. Certificate Option:
For the certificate, it is generally recommended to use a wildcard certificate (*.contoso.contosocorp.vn) instead of listing all server hostnames individually. This simplifies certificate management and avoids the need to update the certificate whenever a new server is added or removed.
2. Certificate Import:
The certificate should be imported to the NTDS Service's Personal certificate store. This ensures that the certificate is used by the Active Directory Domain Services (AD DS) service for secure LDAP communication. Importing the certificate to the Computer store would only make it available for general machine authentication, not specifically for LDAPS.
Additional Considerations:
- Ensure that the certificate is issued by a trusted Certificate Authority (CA).
- Verify that the certificate's validity period is sufficient for your needs.
- Distribute the certificate to all domain controllers in the child domain.
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
- Hi Leon
Thanks for responding,
I have 02 question for 1. Certificate Option.
Question 1: Domain AD is contoso.contosocorp.vn if we create cert have SN *.contoso.contosocorp.vn and ldap.contoso.com.vn . Domain ldap.contoso.com.vn point to some AD and using for client connect then connect successful? Because don’t want client connect to one AD and when One AD maintenance only need change DNS IP of domain ldap.contoso.com.vn
Question 2: Domain AD is contoso.contosocorp.vn if we create cert have SN *.contoso.contosocorp.vn and ldap.contoso.contosocorp.vn point to some AD and using for client connect then connect successful? Because don’t want client connect to one AD and when One AD maintenance only need change DNS IP of domain ldap.contoso.contosocorp.vn
Kindest regards,
Nguyen Thanh NhaHi ThanhNha0903,
thanks for your update and additional questions:Question 1:
Yes, a certificate with the subject name (SN) .contoso.contosocorp.vn and ldap.contoso.com.vn is sufficient to allow clients to connect to either AD domain. This is because the wildcard character (*) in the SN matches any hostname within the contoso.contosocorp.vn domain. When a client attempts to connect to ldap.contoso.com.vn, the certificate will be presented to the client, enabling the client to verify its validity for that hostname.
Question 2:
Yes, if the DNS record for ldap.contoso.contosocorp.vn points to one of the AD domains and a certificate with the SN *.contoso.contosocorp.vn and ldap.contoso.contosocorp.vn is created, clients can connect to that AD domain using that certificate. This is because the SN *.contoso.contosocorp.vn matches any hostname within the contoso.contosocorp.vn domain, and the DNS record for ldap.contoso.contosocorp.vn resolves to a valid IP address. When a client attempts to connect to ldap.contoso.contosocorp.vn, the certificate will be presented to the client, enabling the client to verify its validity for that hostname.
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)- Hi LeonPavesic,
Tks for replying,
So, I have created Wildcard certificate *.contoso.contosocorp.vn with AD Domain Child is contoso.contosocorp.vn, include Subjects Name (SN) below:
adldap.contoso.contosocorp.vn
ldap.contoso.com.vn
=> Please recommend help us Which SN should choose?
