All, I recently installed windows server 2kR2 and following installed the role AD DS and configured dcpromo.exe. After the install and configuration I received the following warning message below. I tried to enable LDAP however it doesn't seem to work properly because after a fresh boot-up I still have hte same warning messae. Does anyone know what i am doing wrong? Or better can anyone point me to step by step instructions on how to properly setup LDAP so I can confirm that I followed the proper routine for install? Thanks for the help. Log Name: Directory Service Source: Microsoft-Windows-ActiveDirectory_DomainService Date: 8/31/2011 10:15:18 PM Event ID: 2886 Task Category: LDAP Interface Level: Warning Keywords: Classic User: ANONYMOUS LOGON Computer: PRM.mh.domain.com Description: The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server. Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds. For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923. You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" /> <EventID Qualifiers="32768">2886</EventID> <Version>0</Version> <Level>3</Level> <Task>16</Task> <Opcode>0</Opcode> <Keywords>0x8080000000000000</Keywords> <TimeCreated SystemTime="2011-09-01T02:15:18.438118500Z" /> <EventRecordID>62</EventRecordID> <Correlation /> <Execution ProcessID="556" ThreadID="704" /> <Channel>Directory Service</Channel> <Computer>PRM.mh.domain.com</Computer> <Security UserID="S-1-5-7" /> </System> <EventData> </EventData> </Event> Phil

Hi, Please refer to the following links to fix the above error: Event ID 2886 — LDAP signing http://technet.microsoft.com/en-us/library/dd941829(WS.10).aspx How to enable LDAP signing in Windows Server 2008 http://support.microsoft.com/kb/935834 Active Directory Domain Service (Event ID 2886) SASL/LDAP Binds http://smartbserver.net/2010/10/adds/ In the meantime, you can ignore this warning if you do not want to force all the clients using LDAP signing. Thanks. NinaPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.