Take a look at https://www.hub.trimarcsecurity.com/post/escalating-to-domain-admin-in-microsoft-s-cloud-hosted-active-directory-azure-ad-domain-services, an excellent post about AADDS.
Catégorie : Active Directory
Watchout ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing
At this moment, Microsoft plan to publish in the rollup of March 2020 an update that change the default behavior of the LDAP and will be requiring LDAP Signing if you haven’t apply a registry modification.In the rollup of March 2020 Microsoft is looking to enable by default the LDAP Signing, so if you haven’t force the parameter by GPO or other method your LDAP clients that don’t use LDAP Signing would have troubles. No news from Microsoft for the new date.
You should take a look at
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023
Event ID 2887 in Directory Service tells you each 24h when an unsigned ldap attempt was done. So it’s a good indicator. If you want to identify where it comes from i suggest you to
Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v “16 LDAP Interface Events” /t REG_DWORD /d 2
and then look for event ID 2889, no reboot or service restart is needed to activate this logging.
That change also apply to LDAP of AD LDS and I guest it would be the same of Azure AD DS