Our cybersecurity team instructed us to disable LDAP in favor of LDAPS. I'm wondering how challenging this migration can be. Has anyone else tackled this transition? What should I consider during the process?
5 Answers
I recently went through an upgrade to Windows Server 2025 DCs. LDAPS is supported by default, and things went pretty smoothly with our Windows 11 endpoints. Just some extra attention was needed for applications that connect to AD for single sign-on.
You can check which apps are still using LDAP by enabling audit mode on your domain controllers with a simple GPO. This way, you can find out what's not using LDAPS. Most systems usually support both, but I've faced issues where some apps wouldn't accept larger certificate hashes.
Be sure to look at each app and see if it relies on LDAP. If it does, you'll need to migrate it. It’s a good idea to create a local admin account as a backup for when LDAP logins fail during the transition.
From what I know, you can't completely disable LDAP in an Active Directory environment. However, it's crucial to disable insecure LDAP and only use LDAPS for clients or devices that need it.
I've migrated before, and it's mostly about monitoring which applications still use LDAP. You should migrate them over one by one, and then you're set! Just keep an eye on everything during the switchover.

Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures