We want to enable LDAPS on our doman controllers. If I use Domain Controller certs, I can get it to work by pointing my LDAPS queries at the hostname FQDN of the server. I want to be able to put the FQDN of the domain into a SAN on the Domain Controller certs so we can just point the LDAPS queries at the domain FQDN for fault tolerance. I tried using Web Server certs on the domain controllers, where I can add the SAN entries. I cannot connect to the FQDN of the host or the domain if I use that cert. Is there a way to add SANs on the Domain Controller certs? I might mention that I am using Server 2008 R2 on the CA and domain controllers

Instead use the 'Kerberos Authentication' templates that come with Windows Server 2008. It includes a SAN containing the server name and the DNS domain name (and NETBIOS).

This is *exactly* what we needed. Thanks for the help.