Windows -- How to enable LDAP over SSL on Windows 2012 or later

By default, Windows domain controller provide LDAP service with no encryption by SSL. If you need to enable SSL on LDAP service (LDAPS), there have two options for you to deploy it.

Option 1:

You can install an Enterprise root CA on domain controllers, it makes all DCs accept LDAPs request immediately. (But install CA on DC is not suggested by MS)

Option 2:

In most case, user already installed Enterprise Root CA on the member server and can follow the instruction link below to set it up.
LDAP over SSL (LDAPS) Certificate
Windows Server 2012 - Enable LDAPS

In my case, I am using Standalone CA with no "Certificate Templates" since it only appear in Enterprise CA. I can't  issue a new templates for DC to enroll new certificate directly.

Here is my steps to submit request to Standalone CA to get certificate and import to DC for LDAPS.

1. Turn on IE and connect Standalone CA https://standalone.ca/certsrv.
2. Click Request a Certificate.
3. Click Advanced certificate request.
4. Click Create and submit a request to this CA.
5. Provide identifying information as required.
6. In the Name box, type the fully qualified domain name of the domain controller.
7. In the Type of Certificate Needed Server list, click Server Authentication Certificate.
8. Under Key Options, set the following options:
• Create a new key set
• CSP: Microsoft RSA SChannel Cryptographic Provider
• Key Usage: Exchange
• Key Size: 1024 - 16384
• Automatic key container name
• Mark keys as exportable
9. Under Advanced Options, set the request format as CMC.
10. In the Attributes box, type the desired SAN attributes. SAN attributes take the following form:
    san:dns=dns.name[&dns=dns.name]
    Multiple DNS names are separated by an ampersand (&). For example, if the name of the domain controller is corpdc1.fabrikam.com and the alias is ldap.fabrikam.com, both names must be included in the SAN attributes. The resulting attribute string is displayed as follows:
    san:dns=corpdc1.fabrikam.com&dns=ldap.fabrikam.com
11. Click Submit.
12. If the CA is not configured to issue certificates automatically, a Certificate Pending webpage is displayed and requests that you wait for an administrator to issue the certificate that was requested. 
    
    To retrieve a certificate that an administrator has issued, connect to http://standalone.ca/certsrv, and then click Check on a Pending Certificate. Click the requested certificate, and then click Next. 
    
    If the certificate was issued, the Certificate Issued webpage is displayed. Click Install this Certificate to install the certificate.
13. Turn on mmc console and add "My user Account" certificates to snaps-ins and click OK.
14. under Personal -> Certificates, double click on the certificate we installed on step 12.
15. On Details tab, click "Copy to Files ..." to turn on Certificate Export Wizard.
16. Select "Yes. export the private key" and click Next.
17. Type in the password and click Next.
18. Give a file name for exported key and select a location to store file.
19. Turn on MMC and add "Service Account" certificates to snaps-ins, select "Local Computer", select "Active Directory Domain service" and click OK.
20. Right click on the NTDS\Personal, "All Task", "Import".
21. Browse the file you stored at step 18 and type in the password you set at the same step.
22. After imported the certificate, you can start using LDAPS as you wish now.

Reference:

Microsoft KB 931351