Configuring the signing requirement for the LDAP server

Configuring using the Group Policy Management Console

To configure the signing requirement for the LDAP server using the Group Policy Management Console:

1. Press Win+R, enter gpmc.msc in the displayed window, and press Enter.

   This opens the Group Policy Management snap-in.

2. In the console tree, select Forest <domain name> → Domains → <domain name>.
3. In the context menu of the Default Domain Policy object, select Edit.
4. In the Group Policy Management Editor window, select Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options, and in the workspace, select the Domain controller: LDAP server signing requirements policy.
5. In the policy properties window, select the Define this policy setting check box and in the drop-down list below, select Require signing.
6. Click OK.
7. Bind the group policy object to the domain container in Active Directory.

Configuring using the registry editor

To configure the signing requirement for the LDAP server using the registry editor:

1. Press Win+R, enter regedit in the displayed window, and press Enter.

   This opens the Registry Editor window.

2. Navigate to the following key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters.
3. For the Parameters key, create a new DWORD (32-bit) value named LDAPServerIntegrity that has the value of 2.
4. Restart the Active Directory controller to apply the changes.
5. Repeat steps 1 to 4 on each Active Directory domain controller.

Configuring using PowerShell

To configure the signing requirement for the LDAP server using PowerShell:

On each Active Directory domain controller, run the following command:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\NTDS\Parameters' –Name LDAPServerIntegrity –Value 2

When the changes are applied on the Active Directory domain controller, the LDAP client signing requirement setting can be changed to Require signing.