Active Directory requirements

Each Windows Active Directory (AD) forest must meet the following requirements.

• LDAPS TLS certificate requirements for AD domain controllers
• SRV record requirements for AD LDAP services

LDAPS TLS certificate requirements for AD domain controllers

In each Active Directory domain controller, the TLS certificate for LDAPS must meet the requirements described in:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority#requirements-for-an-ldaps-certificate

Specifically, this certificate:

• Must be stored in the NT Directory Services (NTDS) personal certificate store.
• Must contain the FQDN (Fully Qualified Domain Name) of the Domain Controller as a DNS SAN (Subject Alternative Name).
• Must use the RSA algorithm.
• Must include Server Authentication (1.3.6.1.5.5.7.3.1) as Enhanced Key Usage.

SRV record requirements for AD LDAP services

Service Location (SRV) resource records for the LDAP Service must be valid for all domains in the forest. Verify this requirement as explained at:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/verify-srv-dns-records-have-been-created

ℹ SRV records do not require extra configuration steps as Active Directory automatically creates and updates them.