Responding to a Active Directory Warning ‐ Event ID 2886

June 21, 2011

Copyright © 2011 by World Class CAD, LLC. All Rights Reserved. 

Responding to Server Warnings

We observe there isa single warning forthe Active Directoryrole on the 2008Server. We doubleclick on the warningto read about theproblem.

The Event Properties Window

The warning is Event ID2886 concerning LDAPsigning and computersecurity. We decide toinvestigate the warningfurther and we doubleclick on the moreinformation hyperlink.

Microsoft Support Website

The 2886 Warning istitled “How to enableLDAP signing in WindowsServer 2008”. In thearticle, we can changethe Group Policy for LDAPsigning to enhance theserver’s security.

The next slides will takeus through the procedureand they include imagesfor each step.

Running Microsoft Management Console (MMC)

To begin the process, we click on theStart button and then select Run andtype “mmc” and the OK button.

MMC stands for the MicrosoftManagement Console that allows theAdministrator of a server to createcustom consoles to manage theirmachine.

Adding a Snap In

On the Menu bar, we pick File and we select Add/Remove Snap‐in. 

Add Group Policy Management Editor

In the Available Snap‐ins , we will choose Group Policy Management Editor and then we press the Add button.

The Group Policy Wizard

The Group Policy Object (GPO)textbox is empty in the GroupPolicy Wizard window so we willwant to select the Browsebutton.

Choose the Policy

In the Browse for a Group PolicyObject window, we highlightDefault Domain Policy and thenwe press the OK button. We seethe Default Domain Policy in theGPO textbox and we select Finish.

Default Domain Policy Snap In

We see the DefaultDomain Policy SnapIn in the right pane,so we press the OKbutton.

Expanding the Domain Policies FolderWe now will expand the Default Domain Controller Policy,  then Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, and then Security Options. We double click on Domain controller: LDAP server signing requirements to open the Properties window.

Domain controller: LDAP Server Signing Requirements

The Domain controller: LDAP serversigning requirements properties windowshould be changed by annotating theDefine this policy setting checkbox. Thenwe choose “Require signing” and wepress the Apply button.

Confirm Setting Change Window

We need to push the Yes button toconfirm the setting change.

Saving the Console

We can save the newlymade console under theAdministrative Tools folderand call it “LDAP signing”.

The Microsoft website has asimilar procedure to followfor client computers in thesame article. Go ahead andmake changes to the localcomputer policy of theclient computer.