LDAP
This guide walks through the complete process of preparing a clean Windows Server 2019 installation for secure directory services. In just a few steps, you’ll bring the server entirely up to date, install and promote Active Directory Domain Services (AD DS) to create a new forest, and enable LDAP over SSL (LDAPS) for encrypted communication.
The resulting environment provides a controlled, self-contained directory system ideal for testing and validating Metaform’s LDAP connector. By simulating a realistic Active Directory deployment — complete with user accounts, secure authentication, and SSL-encrypted LDAP bindings — developers can verify that Metaform’s connector correctly performs queries, binds, and schema lookups without relying on external infrastructure or production networks.
This configuration is advantageous for:
- Reproducing authentication and access scenarios during connector development
- Validating schema mappings and search filters against a known dataset
- Ensuring LDAPS-based encryption and credential handling work as expected
Each section includes a short “Why” paragraph that explains the purpose of the action, along with a PowerShell block that can be executed directly in an elevated session, making the entire setup reproducible and automation-friendly.
Before You Begin
Run all commands in PowerShell as Administrator on a clean Windows Server 2019 installation. Make sure the server has:
- A static IP address
- A descriptive hostname (e.g.,
METAFORM-DC1) - Internet connectivity for updates and module installation
Installation
Apply All Available Windows Updates
Why
Keeping Windows fully patched ensures the latest security fixes, performance improvements, and compatibility updates are applied before installing core server roles.
# Run as Administrator
Set-ExecutionPolicy -Scope Process RemoteSigned -Force
if ((Get-PSRepository PSGallery -ErrorAction SilentlyContinue).InstallationPolicy -ne 'Trusted') { Set-PSRepository PSGallery -InstallationPolicy Trusted }
if (-not (Get-PackageProvider NuGet -ErrorAction SilentlyContinue)) { Install-PackageProvider NuGet -Force }
if (-not (Get-Module -ListAvailable PSWindowsUpdate)) { Install-Module PSWindowsUpdate -Force }
Import-Module PSWindowsUpdate
Get-WindowsUpdate -MicrosoftUpdate
Install-WindowsUpdate -AcceptAll -AutoReboot -Verbose
Install and Promote Active Directory Domain Services
Why
It establishes the foundation for identity and access control by turning the server into a domain controller that provides centralized authentication and management.
# Run as Administrator
Set-ExecutionPolicy -Scope Process RemoteSigned -Force
Rename-Computer -NewName "METAFORM-DC1" -Force
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
🔁 Reboot the server before continuing to ensure all system changes and role installations are fully applied. This step finalizes the computer rename, activates the AD DS role, and prepares the system for domain promotion.
# Run as Administrator
# Promote to Domain Controller (create a new forest)
Import-Module ADDSDeployment
$dsrm = ConvertTo-SecureString "Getnew1" -AsPlainText -Force
Install-ADDSForest `
-DomainName "metaform.local" `
-DomainNetbiosName "METAFORM" `
-SafeModeAdministratorPassword $dsrm `
-InstallDNS `
-Force
After automatic reboot, verify.
Get-ADDomainController
dcdiag /v
Optional: create an admin user and enable Remote Desktop Protocol
Import-Module ActiveDirectory
$dsrm = ConvertTo-SecureString "Getnew1" -AsPlainText -Force
New-ADUser -Name "metaform" -Path "CN=Users,DC=metaform,DC=local" `
-AccountPassword $dsrm -Enabled $true
Add-ADGroupMember "Domain Admins" "metaform"
Set-ItemProperty "HKLM:\System\CurrentControlSet\Control\Terminal Server" fDenyTSConnections 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
Enable SSL Support for Active Directory
Why
Enabling SSL (LDAPS) encrypts all directory communications between clients and the domain controller, protecting credentials and sensitive attributes from interception. It’s essential for secure authentication, compliant integrations, and any application that binds to Active Directory over the public network or untrusted segments.
# Run as Administrator
# Create a self-signed cert valid for LDAPS
$cert = New-SelfSignedCertificate `
-DnsName "METAFORM-DC1.metaform.local","localhost","127.0.0.1" `
-CertStoreLocation "Cert:\LocalMachine\My" `
-FriendlyName "AD LDAPS Self-Signed" `
-KeyLength 2048 `
-KeyExportPolicy Exportable `
-NotAfter (Get-Date).AddYears(5) `
-TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1")
# Verify certificate created
Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject -like "*METAFORM-DC1*" }
# Allow LDAPS from specific network or any (less secure)
New-NetFirewallRule -DisplayName "Allow LDAPS" -Direction Inbound -Protocol TCP -LocalPort 636 -Action Allow
Restart-Computer -Force
After reboot, confirm that LDAPS is listening on TCP port 636.
Test-NetConnection localhost -Port 636
💡 Note: The self-signed certificate enables encryption but does not provide trusted identity validation. For production use, replace it with a CA-issued certificate that matches your public hostname.
Conclusion
With these steps complete, your Windows Server 2019 host now operates as a fully functional, self-contained domain controller for the metaform.local forest. The system is fully patched, hardened, and supports both unencrypted and encrypted directory access. The configuration enables seamless integration with applications, LDAP clients, and remote management tools that rely on secure directory communication.
The following services and ports are now active and ready for use:
| Service | Protocol | Port | Description |
|---|---|---|---|
| LDAP | TCP | 389 | Standard directory access (unencrypted) |
| LDAPS | TCP | 636 | Encrypted directory access via SSL/TLS |
| Kerberos | TCP/UDP | 88 | Authentication for domain logons |
| DNS | TCP/UDP | 53 | Name resolution for Active Directory |
| Global Catalog | TCP | 3268 | Forest-wide searches (non-SSL) |
| Global Catalog (SSL) | TCP | 3269 | Forest-wide searches over SSL |
| SMB / RPC | TCP | 445, 135 | Replication, management, and file services |
| RDP | TCP | 3389 | Remote administrative access |
Your directory is now reachable through both LDAP (389) and LDAPS (636) for local and remote clients, depending on firewall rules. The self-signed certificate ensures encrypted communication is available immediately while allowing a smooth upgrade path to a trusted CA-signed certificate.
This setup provides a secure, isolated Active Directory foundation—ideal for development, testing, and integration work. Next steps might include joining client machines to the domain, configuring group policies, or integrating applications that require LDAP authentication.
Troubleshooting
Even after setup completes successfully, LDAPS connectivity can fail for several common reasons—usually related to certificates, hostname mismatches, or firewall restrictions. The following tools and checks will help you confirm that everything is functioning as intended.
Verify LDAPS Port Availability
Confirm that port 636 is open and accepting connections locally and remotely.
# From the domain controller
Test-NetConnection localhost -Port 636
# From a remote client or another server
Test-NetConnection METAFORM-DC1.metaform.local -Port 636
Expected result:TcpTestSucceeded : True
If the test fails:
- Check that the NTDS service is running.
- Confirm the LDAPS firewall rule is enabled.
- Ensure the certificate exists in
Cert:\LocalMachine\Mywith the correct CN.
Check the Certificate Binding
Use this command to confirm that the certificate is visible to AD DS:
Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject -match "METAFORM-DC1" }
Expected result: An output showing a certificate with:
- Subject:
CN=METAFORM-DC1.metaform.local - Enhanced Key Usage:
Server Authentication (1.3.6.1.5.5.7.3.1)
If no certificate is shown, rerun the New-SelfSignedCertificate command or check for typos in the -DnsName.
Use LDP.EXE for SSL Bind Testing
Microsoft’s built-in LDP tool provides a GUI-based way to validate LDAPS.
- Run
ldp.exefrom Start → Run (or PowerShell). - Select Connection → Connect…
- Enter the hostname:
METAFORM-DC1.metaform.local - Set Port:
636 - Check SSL → Click OK
If the connection succeeds, go to Connection → Bind… and attempt to bind using:
User: [email protected]
Password: Getnew1
Expected result:
The status pane should display Authenticated as: [email protected].
If it fails with an SSL or credential error:
- Verify the certificate’s CN matches the hostname used in the connection.
- Ensure the certificate includes the “Server Authentication” EKU.
Validate with LDAPSEARCH (Linux or WSL)
For external validation from a Linux host or Windows Subsystem for Linux (WSL):
ldapsearch -d 1 \
-H ldap://METAFORM-DC1.metaform.local \
-D "[email protected]" \
-w "Getnew1" \
-b "DC=metaform,DC=local" "(objectClass=user)"
Review Event Logs
Open Event Viewer → Windows Logs → Directory Service Look for entries related to:
- Event ID 1220 – LDAP over SSL initialization
- Event ID 2886 / 2887 – Cleartext binds (informational)
These confirm whether the domain controller successfully registered an SSL certificate for LDAP.
Common Resolutions
| Symptom | Likely Cause | Resolution |
|---|---|---|
| LDAPS fails but LDAP works | Missing or invalid certificate | Reissue self-signed or CA cert |
SSL errors in ldp.exe | Hostname mismatch | Use CN or SAN that matches FQDN |
| Connection refused | Port blocked | Verify Windows Firewall rule |
| Works locally, not remotely | DNS or firewall issue | Confirm name resolution and rule scope |
| Bind succeeds but TLS error | Expired cert | Regenerate or import a new certificate |