Here is an article 897721

"You may not be able to connect to a domain controller by using LDAP over an SSL connection when the domain controller  is running Windows 2000 Server with SP4"

In this code change we introduced a mechanism to to re-enumerate the cert stores and choose a valid Server Auth certificate via a new operational attribute "renewServerCertificate".

 

Prior to this change, if you had to renew the cert due to it expiring , you had to reboot the DC as well. Not so nifty if you run 40 or so DC's with LDAPS enabled and all the certs were issued on the same day.

The things that's missing, is that this is also fixed in Windows Server 2003 , but via a different unpublished article - 917268.

MS needs to do a better job of making sure these articles get published so folks can find them.... that's whats broken here. No point in making bug fixes if it's only is for one customer and no one else can query the KB and find the same fix for when they hit the same bug. We just need to do better in this area. Period.

my .02

spat

UPDATE sept 5 2006 - a public article has been posted on this.

 

keyword:  ldap ssl ldaps