During a migration from windows server 2003 to a windows server 2008 R2. Did I got LDAP Warnings in the event log of the Active Directory. Event ID 2886 appeared like every 24 hours and we didn’t know where to find it. In your eventlog you will see a warning like below.
Log Name: Directory Service
Date: 1-6-2010 9:33:00
Event ID: 2886
Task Category: LDAP Interface
User: ANONYMOUS LOGON
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds.
For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the “LDAP Interface Events” event logging category to level 2 or higher.
How to solve this issue. Well you have to go to the Group Policy Management viewer/editor.
Run gpme.msc. Go to Domain Controllers Policy – Computer Configuration – Windows Settings- Security Settings – Local Policies- Security Options – LDAP server signing requirements.
change the LDAP Server signing requirements to: Domain controller: LDAP server signing requirements Require signing
You have to do this also for the Network sercurity LDAP Client : Network security: LDAP client signing requirements Negotiate signing
Your default domain controllers Policy should be looking like this. Normally the Domain controller: LDAP server signing requirements: is set to none. Same to Network security: LDAP client signing requirements: none.
After this chance you will see that the error doesn’t appear anymore.