Hi everyone,
I'm currently trying to deploy a fully functional openziti network to demonstrate the benefits of going with a ZTNA approach, instead of the more traditional VPN.
As such, I am now trying to achieve something like this:
Right now, I have been able to deploy all ziti components, and I am able to connect to the webapp and to the sftp, both from my "headquarters" (using the openziti edge router as a LAN gateway) and from a windows vm running on a different network (connecting directly to the public router, in azure, and using the ziti client).
However, I am having a lot of constraints when trying to configure the AD connection. I have followed a couple of guides I found here, such as Conneting Remote Endpoints with a On-Prem AD, and both my computers are able to resolve my domain name. However, when I try to join the workstation to the domain, I get the following error message:
DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "oz-implementation.local":
The query was for the SRV record for _ldap._tcp.dc._msdcs.oz-implementation.local
The following domain controllers were identified by the query:
dc.oz-implementation.local
However no domain controllers could be contacted.
Common causes of this error include:
- Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.
- Domain controllers registered in DNS are not connected to the network or are not running.
I tried all I could think of, with no success.
Has anyone seen this issue before?
Thanks!
Hi @B3Rhodes, welcome to the community and to OpenZiti!
Sounds like you've made excellent progress so far. I don't personally have an environment to actually test this sort of scenario and l am not well versed with windows domain joining protocol.
You have that domain/host mapped?
So, as we do nowadays i asked gpt to describe it
[Client] ---(UDP 67/68)---> [DHCP Server] # Request IP config
[Client] <---(UDP 67/68)--- [DHCP Server]
[Client] ---(UDP 53)------> [DNS Server] # Resolve domain controller (e.g., _ldap._tcp.dc._msdcs.domain.com)
[Client] <---(UDP 53)------ [DNS Server]
[Client] ---(TCP 88)------> [Domain Controller] # Kerberos AS-REQ/AS-REP (Authentication Service)
[Client] ---(TCP 389)-----> [Domain Controller] # LDAP bind to query domain info
[Client] ---(TCP 445)-----> [Domain Controller] # SMB for Group Policy & netlogon
[Client] ---(TCP 135/139)---> [Domain Controller] # RPC endpoint mapper (optional depending on GPOs)
[Client] ---(TCP 464)-----> [Domain Controller] # Kerberos password change (if applicable)
[Client] ---(UDP 123)-----> [NTP Server/DC] # Time sync (required for Kerberos)
Do you have intercepts for each of these ports? Are you able to capture the traffic on the interface to see if anything shows up?
Hi @TheLumberjack ,
Thank you!
It seems like I didn't have the ports 67/68 configured on the controller.
I don't know if it was that, or if it was my windows VM that had it's own mind, because as soon as I deployed a new one, and added those ports, everything started working as it should!
Now, it's time to start looking into HA 
Thank you once more for your help!
Oh? Well that's GREAT!! Particularly since I didn't expect that I'd be much help but I'm pleased to hear that it fixed it. Of course I'd recommend you do it one more time and make sure... If you ever blog about the setup, we always love to read about how people used/tried OpenZiti!
Cheers
1 Like
