Ldap service not running on Windows Server 2019

Ghansham

2/11/23, 1:25 AM

I have 2 windows server 2019. e.g. server1 and server2. server1 is the domain controller. server1 has below roles installed: ADDS, ADCS, DNS, FILE STORAGE, IIS.

server2 is connected to that domain controler. server1 has below roles installed: ADCS, FILE STORAGE, IIS.

I have setup PKI on server1 and everything works fine. I am able to use CRL as well as OCSP feature for certificate validation.

I wanted to make server2 as subordinate CA of server1(root CA), and installed corresponding roles(ADCS) and able to distribute user certificate and its working fine. But I am not able to test CRL functionality on server2 as it required ldap binding with server2.

As I debugged it further, I found that LDAP server is not running on server2. I checked port 389 is listening on server1 but not server2.

So how to enable ldap service on server2 ? I am not able to test CRL functionality of PKI, because CDP url is ldap address.

155

0 + 0

windows

ssl

certificate

pki

crl

Score:0

Server

Daniel

5/5/23, 8:50 PM

LDAP is not a prerequisite for ADCS. If your company uses ADDS, then you have the option to deploy a Enterprise CAs to simplify certificate issuance and deployment to users and computers.

If you do not have a AD domain, then you install Standalone CAs.

That is why your approach makes no sense. You would not install ADDS on server2 only to run an intermediate CA.

There are many ways how to set up a PKI infrastructure, and it seems you should read up on that topic, to get a little understanding of how to achieve your need. I suggest you start with this guide: https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/designing-and-implementing-a-pki-part-i-design-and-planning/ba-p/396953

But to answer your question: Join server2 to the same AD domain as server 1 and install an Enterprise Subordinate CA. If you plan on having your Root CA online (which I assume), then it should be an Enterprise Root CA.

However, if you plan on implementing a multi-tier PKI your root CA should be standalone and offline. You also should never install a CA on your domain controller. And your CDP and AIA locations should be on an HTTP server only, optionally also deploying an additional OCSP server.

In small businesses where certificate are required only internally, you could get away with installing a single Enterprise Root CA and also use LDAP as your CDP and AIA locations.

I strongly suggest you read up on the article, if you plan to put your PKI to production.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Ldap service not running on Windows Server 2019

TH: บริการ Ldap ไม่ทำงานบน Windows Server 2019

RO: Serviciul Ldap nu rulează pe Windows Server 2019

RU: Служба Ldap не работает на Windows Server 2019

VI: Dịch vụ Ldap không chạy trên Windows Server 2019

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.