All,   The guidance for this says that if you set one option you should set the other option to ensure nothing breaks. This sounds like a chicken and egg scenario and I’m wondering if anyone has experienced.   Based on what I’ve read on MSDN, Technet, and the IETF RFCs ; if the Server says “Strong Auth required” (which MSDN says AD says if require signing is configured), the client may either close the connection or send a STARTTLS option. So I find it hard to believe that under typical operation, that setting it server-side first should break the clients (as they ought to just say “oh, let me send starttls”).   Does anyone have experience with this behavior? What’s your experiences?   All of our TLS is configured properly, we’ve got the right templates enrolled, LDAPS functions 100% fine on the environment as-is. In this case, we’re looking to enforce it.