Event ID 1220

LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate.

Resolution from Microsoft:

Configure LDAP over SSL

Event ID 1220 is logged on a domain controller when client computers attempt to make an LDAP-over-SSL connection to the directory when SSL connections are not enabled on the directory. If you want to configure a domain controller or an AD LDS server to support SSL connections, you must provide a certificate for the AD DS or AD LDS directory to use. If you do not want to support LDAP over SSL connections on the directory, identify the client computers that are attempting to make such connections so that you can resolve this issue.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Perform the following procedure on a domain controller or a computer that has RSAT installed. See Installing Remote Server Administration Tools for AD DS (http://go.microsoft.com/fwlink/?LinkId=144909).

If you want to configure your domain controllers to support SSL connections, you can install and configure the Active Directory Certificate Services (AD CS) role on a domain controller or you can import a certificate from a trusted certification authority (CA).

If you install the AD CS role and specify the Setup Type as Enterprise on a domain controller, all domain controllers in the forest will be configured automatically to accept LDAP over SSL. For instructions about installing and configuring a local certificate server using a Windows Server 2008 computer, see the Active Directory Certificate Services Step-by-Step Guide (http://go.microsoft.com/?linkid=9645085).

If you prefer to use a certificate from a CA that is not installed on a domain controller, you must import a certificate with an intended purpose of server authentication from a trusted CA into the AD DS personal store.

To import a certificate into the AD DS personal store:

1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
2. To open Microsoft Management Console (MMC), type mmc, and then press ENTER.
3. Click File, click Add/Remove Snap-in, select Certificates from the available snap-ins, and then click Add.
4. In Add or Remove Snap-ins, click Service account to view the certificates that are stored in the service’s personal store, and then click Next.
5. In Add or Remove Snap-ins, click Local computer, and then click Next.
6. In Add or Remove Snap-ins, click Active Directory Domain Services, click Finish, and then click OK.
7. In the console tree, expand Certificates – Service (Active Directory Domain Services), expand Personal, and then expand Certificates.
8. To import a certificate, right-click the NTDS\Personal folder, click All Tasks, and then click Import. When the certificate is imported, client computers should be able to make SSL connections to all domain controllers in the forest.

If you need to configure AD LDS to support LDAP over SSL connections, follow the instructions in Appendix A: Configuring LDAP over SSL Requirements for AD LDS (http://go.microsoft.com/?linkid=9645086).