3.1.1.3.4.7 LDAP Configurable Settings

  • Article

A forest supports several administrator-controlled settings that affect LDAP. The name of each setting is included in the supportedConfigurableSettings attribute on the rootDSE. These settings are listed in the following table. The table also lists which applicable Windows Server releases and Active Directory Application Mode (ADAM) versions support which settings. The settings are stored on the msDS-Other-Settings attribute of the directory service object, as specified in section 6.1.1.2.4.1.1. For more information, see [ADDLG].

The table contains information for the following products. See section 3 for more information.

  • D --> Windows Server 2003 operating system

  • E --> Windows Server 2003 operating system with Service Pack 1 (SP1)

  • DR2 --> Windows Server 2003 R2 operating system

  • H --> ADAM RTW

  • I --> ADAM SP1

  • K --> Windows Server 2008 operating system AD DS

  • L --> Windows Server 2008 AD LDS

  • N --> Windows Server 2008 R2 operating system AD DS

  • P --> Windows Server 2008 R2 AD LDS

  • S --> Windows Server 2012 operating system AD DS

  • T --> Windows Server 2012 AD LDS

  • V --> Windows Server 2012 R2 operating system AD DS

  • W --> Windows Server 2012 R2 AD LDS

  • Y --> Windows Server 2016 operating system AD DS

  • Z --> Windows Server 2016 AD LDS

  • B2 --> Windows Server v1709 operating system AD DS

  • C2 --> Windows Server v1709 AD LDS

  • E2 --> Windows Server v1803 operating system AD DS

  • F2 --> Windows Server v1803 AD LDS

  • H2 --> Windows Server v1809 operating system AD DS

  • I2 --> Windows Server v1809 AD LDS

  • K2 --> Windows Server 2019 operating system AD DS

  • L2 --> Windows Server 2019 AD LDS

  • M2 --> Windows Server v1903 AD DS

  • N2 --> Windows Server v1903 AD LDS

    Setting name

    D

    DR2, E

    H

    I

    K, N, S, V, Y, B2, E2, H2, K2

    L, P, T, W, Z, C2, F2, I2, L2

    E2, F2, H2, I2, K2, L2, M2, N2

    DynamicObjectDefaultTTL

    X

    X

    X

    X

    X

    X

    X

    DynamicObjectMinTTL

    X

    X

    X

    X

    X

    X

    X

    DisableVLVSupport

    X

    X

    X

    X

    X

    ADAMAllowADAMSecurityPrincipalsInConfigPartition

    X

    X

    X

    ADAMDisableLogonAuditing

    X

    X

    X

    X

    ADAMDisablePasswordPolicies

    X

    X

    X

    X

    ADAMDisableSPNRegistration

    X

    X

    X

    ADAMDisableSSI

    X

    X

    X

    ADAMLastLogonTimestampWindow

    X

    X

    X

    X

    MaxReferrals

    X

    X

    X

    X

    X

    ReferralRefreshInterval

    X

    X

    X

    X

    X

    RequireSecureProxyBind

    X

    X

    X

    X

    RequireSecureSimpleBind

    X

    X

    X

    X

    SelfReferralsOnly

    X

    X

    X

    X

    X

    DenyUnauthenticatedBind

    X

The DynamicObjectDefaultTTL is the default entryTTL value for a new dynamic object. The value is in seconds and defaults to 86400. The minimum value is 1 and the maximum value is 31557600 (one year).

The DynamicObjectMinTTL is the minimum valid entryTTL value for a new dynamic object. The value is in seconds and defaults to 900. The minimum value is 1 and the maximum value is 31557600 (one year).

When the DisableVLVSupport setting is set to 1, the DC excludes the OIDs for the LDAP_CONTROL_VLVREQUEST and LDAP_CONTROL_VLVRESPONSE controls from the supportedControl attribute of the rootDSE. Additionally, if the LDAP_CONTROL_VLVREQUEST control is attached to an incoming LDAP request and is not marked as critical, the DC ignores the control. If the control is attached to an incoming LDAP request and is marked critical, the DC fails the request with the error unavailableCriticalExtension / ERROR_INVALID_PARAMETER. If the DisableVLVSupport setting is not specified, it defaults to 0.

When ADAMAllowADAMSecurityPrincipalsInConfigPartition equals 1, security principals (that is, objects that have an objectSid attribute) can be created in the Config NC. When equal to 0, attempts to create a security principal in the Config NC are rejected with the error unwillingToPerform / ERROR_DS_CANT_CREATE_IN_NONDOMAIN_NC. If ADAMAllowADAMSecurityPrincipalsInConfigPartition is not specified, it defaults to 0.

The effect of ADAMDisableLogonAuditing is outside the state model. When ADAMDisableLogonAuditing equals 1, the DC does not generate audit events when an AD LDS security principal (section 5.1.1.5) authenticates to the server. If set to 0, the DC attempts to generate audit events when an AD LDS security principal authenticates to the server; policy on the computer running the DC determines whether audit events are actually generated. If ADAMDisableLogonAuditing is not specified, it defaults to 0.

When ADAMDisablePasswordPolicies does not equal 1 and an LDAP bind is performed or a password is changed on an AD LDS security principal, the DC enforces the current password policy in effect on the AD LDS server as reported by SamrValidatePassword ([MS-SAMR] section 3.1.5.13.7). When ADAMDisablePasswordPolicies is set to 1, the DC does not enforce any such policies. If ADAMDisablePasswordPolicies is not explicitly specified, it defaults to 0.

When ADAMDisableSPNRegistration equals 1, a DC running as AD LDS does not register its SPNs (2) on the servicePrincipalName of the computer object as described in [MS-DRSR] section 2.2.2. When ADAMDisableSPNRegistration equals 0, a DC running as AD LDS performs SPN (2) registration as described in that document. If ADAMDisableSPNRegistration is not explicitly specified, it defaults to 0.

When ADAMDisableSSI equals 1, a DC running as AD LDS does not support DIGEST-MD5 authentication for AD LDS security principals. If ADAMDisableSSI equals 0, a DC running as AD LDS supports DIGEST-MD5 for AD LDS security principals. ADAMDisableSSI has no effect on a DC running as AD DS. If ADAMDisableSSI is not explicitly specified, it defaults to 0.

ADAMLastLogonTimestampWindow specifies how frequently, in days, AD LDS updates the lastLogonTimestamp attribute when an AD LDS security principal (see section 5.1.1.5) authenticates to the server. For an AD LDS security principal O, if a successful LDAP bind as that security principal is performed at time T, and the difference between O!lastLogonTimestamp and T is greater than ADAMLastLogonTimestampWindow days, then the AD LDS DC sets O!lastLogonTimestamp to T. Otherwise, the AD LDS DC leaves O!lastLogonTimestamp unchanged. If ADAMLastLogonTimestampWindow is not explicitly specified, it defaults to 7.

MaxReferrals specifies the maximum number of LDAP URLs that the DC will include in a referral or continuation reference. The default value is 3.

The effect of ReferralRefreshInterval is outside the state model. A Windows DC maintains an in-memory cache of referral information so that it can return referrals and continuation references without consulting the directory state. ReferralRefreshInterval specifies how frequently, in minutes, a DC refreshes the in-memory cache from the directory state. The default value is 5.

When RequireSecureProxyBind is set to 1, AD LDS will reject (with the error confidentialityRequired / <unrestricted>) an LDAP simple bind request that requests authentication as an AD LDS bind proxy (section 5.1.1.5) if that request is not performed on an SSL/TLS-encrypted or SASL-protected connection with a cipher strength of at least 128 bits. If RequireSecureProxyBind is set to 0, no such restriction is imposed. If RequireSecureProxyBind is not explicitly specified, it defaults to 1.

When RequireSecureSimpleBind is set to 1, AD LDS will reject (with the error confidentialityRequired / <unrestricted>) an LDAP simple bind request that requests authentication as an AD LDS security principal (section 5.1.1.5) if that request is not performed on an SSL/TLS-encrypted or SASL-protected connection with a cipher strength of at least 128 bits. If RequireSecureSimpleBind is set to 0, no such restriction is imposed. If RequireSecureSimpleBind is not explicitly specified, it defaults to 0.

If SelfReferralsOnly is set to 1, then the DC will only return referrals and continuation references that refer to itself. It will not return referrals and continuation references to NCs of which it does not have an NC replica. Referrals and continuation references to NCs of which it does have an NC replica will name itself as the referred-to server.

When DenyUnauthenticatedBind is set to 1, AD LDS will reject (with the error unwillingToPerform / <unrestricted>) an LDAP simple bind request that specifies a zero-length password. If DenyUnauthenticatedBind is set to 0, no such restriction is imposed. If DenyUnauthenticatedBind is not explicitly specified, it defaults to 0.