LDAP Warning Sever 2008 r2

pollardhimself

Senior member
Nov 6, 2009
281
0
0
I have this warning in my events, Ive read a little on LDAP if I were to enable this how would it effect my windows xp clients? I will have windows 7 Clients also. What the best way to set this up for a single server 2008 r2 DC and a server 2003 file server? And will it have any effect on any of my applications that have users connecting to the server.


Code:
Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          6/24/2010 3:58:31 PM
Event ID:       2886
Task Category: LDAP Interface
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      PER510.CCI.WORK
Description:
The security of this directory server can be significantly enhanced by  configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or  Digest) LDAP binds that do not request signing (integrity verification)  and LDAP simple binds that  are performed on a cleartext  (non-SSL/TLS-encrypted) connection.  Even if no clients are using such  binds, configuring the server to reject them will improve the security  of this server. 
 
Some clients may currently be relying on unsigned SASL binds or LDAP  simple binds over a non-SSL/TLS connection, and will stop working if  this configuration change is made.  To assist in identifying these  clients, if such binds occur this  directory server will log a summary  event once every 24 hours indicating how many such binds  occurred.  You  are encouraged to configure those clients to not use such binds.  Once  no such events are observed  for an extended period, it is recommended  that you configure the server to reject such binds. 
 
For more details and information on how to make this configuration  change to the server, please see [URL]http://go.microsoft.com/fwlink/?LinkID=87923[/URL].  
 
You can enable additional logging to log an event each time a client  makes such a bind, including information on which client made the bind.   To do so, please raise the setting for the "LDAP Interface Events"  event logging category to level 2 or higher.
Event Xml:
<Event  xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService"  Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS  General" />
    <EventID Qualifiers="32768">2886</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>16</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2010-06-24T19:58:31.533700200Z" />
    <EventRecordID>3056</EventRecordID>
    <Correlation />
    <Execution ProcessID="604" ThreadID="852" />
    <Channel>Directory Service</Channel>
    <Computer>PER510.CCI.WORK</Computer>
    <Security UserID="S-1-5-7" />
  </System>
  <EventData>
  </EventData>
</Event>
 
Last edited:

phoenix79

Golden Member
Jan 17, 2000
1,598
0
0
Do you have Linux or Mac computers that connect to the DC? If not then you should be fine to enable it. I was getting this error along with another one saying that there were unsigned LDAP queries being made to our DC after upgrading to 2008R2 after digging a bit I found out there was a registry key you could change to enable logging of what computers were using unsigned LDAP queries, it turned out it was the Macs we had joined to the domain. If you are an all Windows shop then you should be ok to do what it says.
 

pollardhimself

Senior member
Nov 6, 2009
281
0
0
Do you have Linux or Mac computers that connect to the DC? If not then you should be fine to enable it. I was getting this error along with another one saying that there were unsigned LDAP queries being made to our DC after upgrading to 2008R2 after digging a bit I found out there was a registry key you could change to enable logging of what computers were using unsigned LDAP queries, it turned out it was the Macs we had joined to the domain. If you are an all Windows shop then you should be ok to do what it says.

Yes I am all windows, Ill enable it. If I run into problems is it just a matter of un-enabling it
 

phoenix79

Golden Member
Jan 17, 2000
1,598
0
0
I can't imagine that it'll be a problem if you're not getting the error saying that you're getting unsigned LDAP queries.
 

Emulex

Diamond Member
Jan 28, 2001
9,759
1
71
damn cheapie NAS boxens :) i made them all into iscsi targets and let windows do the file sharing/dfs/etc . just works better.