I would like to be able to automatically detect the LDAP servers of the Domain Controllers for a Windows Domain. Additionally I would like to use SSL to connect to the LDAP servers.
As far as I know you can lookup the Domain Controllers by getting the SRV records for the name _ldap._tcp.dc._msdcs.<domain> from the DNS and you get a list of all LDAP servers running on the Domain Controllers. These records are created in the Active Directory's DNS service by the Netlogon service on the Domain Controllers.
Additionally the LDAP service of a Domain Controller automatically supports connections over LDAPS (LDAP over SSL), when a Server Authentication certificate is available in the certificate store of the server.
But unfortunately it seems the Netlogon service does not create SRV records for the LDAPS service like _ldaps._tcp.dc._msdcs.<domain>. I was wondering if it is possible to tell the service to create these records automatically or would I have to add the records manually in the Active Directory?
Best Answer
You'll have to add these in manually.
I'm curious as to why this even came up.
You have a LDAP client smart enough to use SRV records and LDAPS, but does not have the ability to use
StartTLS?