Windows server 2008 R2 Active Directory can not enable LDAPS

1. I would start by check the certificate enhanced key usage, make sure the Server Authentication (1.3.6.1.5.5.7.3.1) are in the enhanced key usage. This can be done by open the certificate and click on "details" tab and scroll to "Enhanced Key Usage"

2. On the domain controller open an MMC and add certificate snap-in with local computer and verify if the certificate is in the personal certificates. If the certificate is there you can double-click on the certificate under General tab did you see a line at the bottom stating "You have a private key that corresponds to this certificate."?

When you say "I cannon see port 636 is opening" how are you doing about doing that? Did you run netstat on the domain controller to see if the server is listing? syntax: netstat -an | find "636" -a display connection and listening ports -n display ip

find "636" is to filter for port 636. Because this is a domain controller you will have a lot of connections.

Also, if you have access to openssl you can try the following

syntax: openssl s_client -connect domain_controller_ip:636

if the certificate configure properly and the domain is listening to port 636/tcp. you will get the certificate information return.

The problem is certificate not match.

My AD domain is xyz.com, I thought my certificate Common Name should be xyz.com, it's wrong.

The right Common Name of the certificate should be Full computer name or Computer name+Domain. My computer name is ad, then I need the Common Name is ad.xyz.com of the certificate.