Each Windows Active Directory forest must meet the following requirements.
LDAPS TLS certificate requirements for Active Directory domain controllers
In each Active Directory domain controller, the TLS certificate for LDAPS must meet the requirements described in:
Specifically, this certificate:
- Must be stored in the NT Directory Services (NTDS) personal certificate store.
- Must contain the FQDN (Fully Qualified Domain Name) of the Domain Controller as a DNS SAN (Subject Alternative Name).
- Must use the RSA algorithm.
- Must include Server Authentication (1.3.6.1.5.5.7.3.1) as Enhanced Key Usage.
SRV record requirements for Active Directory LDAP services
Service Location (SRV) resource records for the LDAP Service must be valid for all domains in the forest. Verify this requirement as explained at:
SRV records do not require extra configuration steps as Active Directory automatically creates and updates them.