Issue
Active Directory Users and Computers (ADUC) may experience latency or slowness while connected to the Cato SDP Client.
Environment
- Cato SDP Client v4.2 and above
Troubleshooting
While it is running, ADUC makes DNS queries for non-standard, non-existent SRV records. These queries are not necessary and it's not known why ADUC makes them. For more information, see DNS client resolver behavior
Cato SDP Client blocks DNS requests on every network interface except for the Cato VPN interface in order to direct DNS through the VPN tunnel. This works well for almost all applications but ADUC because of the SRV queries mentioned above.
If ADUC does not receive a positive response to the queries from the DNS servers configured on the Cato VPN adapter, it sends the queries to the DNS servers configured on the physical (WiFi, Ethernet) adapter. These queries are blocked by the Cato VPN client so ADUC never receives a response. Although this has not been acknowledged or confirmed by Microsoft, we believe that ADUC waits for the DNS queries to time out on the physical adapters before proceeding, and that explains the slow load times. As far as we know, ADUC is the only application exhibiting this behavior, and it could very well be a Microsoft bug.
To verify that the above issue is encountered, a PCAP capture can be taken on the tunnel. Filter for DNS (port 53) while the user opens ADUC. Apply the following filter in Wireshark to view SRV queries:
dns.qry.type == 33
ADUC makes queries for non-existent SRV records in two distinct formats:
- _ldap._tcp.DCName.Domain.com
- _ldap._tcp.SiteName._sites.DCName.Domain.com
Where DCName is the NetBIOS name (hostname) of a Domain Controller (DC), SiteName is the name of the site in which the DC resides, and Domain.com is the domain.
ADUC can potentially query SRV records for every DC in a domain. The problem stated in this article exists if you see any of the SRV queries and a "No such name" response in the PCAP.
Solutions
- Use Remote Desktop or another remote access tool to log into the DC and manage Active Directory.
- Use Active Directory Administration Center (ADAC) to manage Active Directory remotely. ADAC is a newer and more powerful tool than ADUC when it comes to AD management, but there is a learning curve. For more information about ADAC visit Active Directory Administrative Center
- Create the SRV records that ADUC queries for in Windows DNS. See the instructions below.
- Contact Cato Support for additional troubleshooting and backend alternative solutions.
Manually Create SRV Records
1. Open DNS Manager on the DNS server.
2. Expand Forward Lookup Zones.
3. Right-click your domain and click “New Domain…”.
4. Enter the hostname of the DC as the domain name.
5. Right-click the subdomain created in the previous step and select “Other New Records…”.
6. Select Service Location (SRV) and click “Create Record…”.
7. Enter the following parameters in the pop-up window:
- Service: _ldap
- Protocol: _tcp
- Host offering this service: the FQDN of the DC with a period at the end.
8. Click "OK". An SRV record will be created.
9. Right-click the subdomain named after the DC you created in step 4 and select “New Domain…”
10. Name the domain “_sites” and click "OK".
11. Right-click the _sites domain and select “New Domain...”.
12. Name the subdomain created in the previous step after the site that the DC resides in and click "OK".
13. Right-click the subdomain created in the previous step and select "Other New Records...".
14. Select Service Location (SRV) and click "Create Record...".
15. Enter the following parameters in the pop-up window:
- Service: _ldap
- Protocol: _tcp
- Host offering this service: the FQDN of the DC with a period at the end.
16. Click "OK". A new SRV record will be created.
17. Repeat steps 3-16 for each DC in your domain.
Automatically Create SRV Records Using PowerShell
The PowerShell script below can be run on a DC to create all the necessary SRV records for a domain as long as the DNS servers are also Domain Controllers. Please note that this script may have to be modified to work in the customer's environment and Cato Support is not responsible for making any modifications to this script. Customers should use this script at their own risk.
Recommended Usage:
1. Save the script in a file with extension .ps1 and copy it to a DC.
2. On the DC, open PowerShell with administrator privileges and run the script:
path_to_script.ps1
3. Observe that the correct domain and a DNS server were detected by the script and that the list of all DCs in the domain is correct.
4. By default, the script prompts before creating SRV records for each DC. we recommend using this method at least for the first DC and then verify that the SRV records were created successfully before continuing.
5. If the SRV records for the first DC were created successfully, you can execute the script again but choose the "Bulk create" option [B] to create all SRV records at once without prompts.
Sample Output:
Script:
$allDCs = (Get-ADForest).Domains | %{ Get-ADDomainController -Filter * -Server $_ } | Select-Object -Property Name, HostName, Domain, Site
$Domain = (Get-ADForest).Name
Write-Host ""
Write-Host "Domain:"
Write-Host " $Domain"
$DNSstring = nslookup -type=ns $Domain | Select-String -Pattern 'nameserver'
$DNSstring -match '(?<=nameserver = )(.*)' > $null
$DNSserver = $Matches[1]
Write-Host ""
Write-Host "Found DNS server:"
Write-Host " $DNSserver"
Write-Host ""
Write-Host "Found Domain Controllers:"
Foreach ($DC in $allDCs) {
Write-Host " $($DC.HostName)"
}
$title = 'Create SRV Records'
$question = 'How do you want to create SRV records?'
$bulk = New-Object System.Management.Automation.Host.ChoiceDescription "&Bulk create", "Creates all SRV records at once."
$prompt = New-Object System.Management.Automation.Host.ChoiceDescription "&Prompt for each", "Prompts before creating each SRV record."
$choices = [System.Management.Automation.Host.ChoiceDescription[]]($bulk, $prompt)
$decision = $Host.UI.PromptForChoice($title, $question, $choices, 1)
if ($decision -eq 0) {
Foreach ($DC in $allDCs) {
Add-DnsServerResourceRecord -Srv -Name "_ldap._tcp.$($DC.Name)" -ZoneName $DC.Domain -DomainName "$($DC.HostName)" -Weight 0 -Priority 0 -Port 389 -ComputerName $DNSserver
Add-DnsServerResourceRecord -Srv -Name "_ldap._tcp.$($DC.Site)._sites.$($DC.Name)" -ZoneName $DC.Domain -DomainName "$($DC.HostName)" -Weight 0 -Priority 0 -Port 389 -ComputerName $DNSserver
}
Write-Host ""
Write-Host "Created SRV records for all DCs."
} elseif ($decision -eq 1) {
Foreach ($DC in $allDCs) {
Write-Host ""
Write-Host "Create SRV records for $($DC.HostName)?" -ForegroundColor Yellow
$Readhost = Read-Host " ( y / n ) "
if ($Readhost -eq 'y') {
Add-DnsServerResourceRecord -Srv -Name "_ldap._tcp.$($DC.Name)" -ZoneName $DC.Domain -DomainName "$($DC.HostName)" -Weight 0 -Priority 0 -Port 389 -ComputerName $DNSserver
Add-DnsServerResourceRecord -Srv -Name "_ldap._tcp.$($DC.Site)._sites.$($DC.Name)" -ZoneName $DC.Domain -DomainName "$($DC.HostName)" -Weight 0 -Priority 0 -Port 389 -ComputerName $DNSserver
}
}
Write-Host ""
Write-Host "Done creating SRV records."
} else {
Write-Host 'Cancelled'
}
Comments
2 comments
Nice article, good job
I think this behavior is normal and expected. ADUC has been around for... 23 years now? Would be weird for this fundamental lookup to be buggy for so long...
Before going through the hassle of manually adding SRV records yourself:
I'd recommend adding the addresses assigned on the Cato Network adapter to be added to Active Directory Sites & Services. Sites & Services tells the domain controller where the closest services are for things like Global Catalog lookups. If you have a larger network, maybe it makes sense to have address pools for regions and map those to specific domain controllers.
Then the SRV records should no longer be missing, ADUC loads quickly, and your administrators will stop complaining.
Please sign in to leave a comment.