Microsoft announced in August 2019 that they will enforce the use of Secure LDAP binds from Marts 2020 Update
This means that applications that uses “classic” LDAP over 389 will fail after applying updates in the Marts 2020 Cycle
Take Action: Microsoft Security Advisory ADV190023 published to introduce LDAP channel binding and LDAP signing support. Administrators will need to test these settings in their environment after manually adjusting them on their servers.
First Call to Action was August 2019 , so if you missed this (like me) this is very late getting started to prevent possible outages pending Marts Update Cycle
|Required: Security Update available on Windows Update for all supported Windows platforms that will enable LDAP channel binding and LDAP signing on Active Directory servers by default.|
Second Call to Action is now , get searching in the logs
Event 2886,2889,2887,1220 from Directory Services are the ones to ensure are logged and searhable
The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.
LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate.