I have an Active Directory domain that ends with .local, and I cannot rename the domain because I have Exchange 2010. I use certificates from a public Certificate Authority on some of my domain controllers so that I can use LDAPS with a few Linux servers and virtual appliances.
I thought it might be possible for me to create a .com CNAME for my domain controllers and purchase a certificate. However, I could not make a successful LDAPS connection.
Here's the error message from ldp.exe:
ld = ldap_sslinit("dc2.example.com", 636, 1); Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3); Error 81 = ldap_connect(hLdap, NULL); Server error: <empty> Error <0x51>: Fail to connect to dc2.example.com.
I then requested a certificate with dc2.example.local as a subject alternative name (SAN) and was able to connect successfully to dc2.example.com.
I've observed the same behavior using Apache LDAPS and openssl s_client, and as far as I can tell the domain controller simply does not use the certificate unless the .local SAN is present.
Does anyone know if this can be made to work without the .local SAN?
Thank you,
Michael
Edit: The domain controllers are all Windows Server 2012 R2.