As a lot of us know, there are some serious DOS (denial of service) issues with AD. AD just isn't fully LDAP compatible, that's the bottom line in my book. If I have to interface to AD to multiple sources outside Microsoft designed use (inside the NOS), I recommend using a virtual directory to protect AD. Such LDAP packets as described below and other causes of DOS can be dealt with.
Quoted from http://bardissi.wordpress.com/2008/02/12/webdav-vulnerability-worst-of-four-windows-flaws/:
12 February, 2008
MS08-003: Active Directory Denial of Service Vulnerability
Active Directory is the Windows component that provides central authentication and authorization services for Windows computers. Active Directory runs on Windows servers, but also on Windows clients as the Active Directory Application Mode (ADAM) service. Microsoft’s security bulletin warns of an unspecified Denial of Service (DoS) vulnerability involving the way Active Directory handles specially crafted LDAP packets. By sending a malicious LDAP request, a remote attacker could exploit this vulnerability to cause your Windows computer to lock up or to reboot. The attacker could repeatedly exploit this vulnerability to keep your Windows machines offline for as long as he could sustain this attack. However, most administrators don’t allow LDAP traffic (TCP ports 389 and 3268) through their perimeter firewall. Therefore, this vulnerability primarily poses an internal threat.
Microsoft rating: Important.