Skip to main content
funkylicious
SuperUser
funkylicious
SuperUser
September 30, 2025
Question

ZTNA - Active Directory services

  • September 30, 2025
  • 4 replies
  • 1795 views

Hi,

Has someone been able to configure and use ZTNA for the AD services ?

 

The scenario i'm trying to make use of is a remote user that needs to join his computer which for whatever reason it got removed/deleted from it.

 

I've created 2 ZTNA servers, 1 for TCP traffic and 1 for UDP traffic ( as per below ) , the domain name is resolvable locally in the internal 10.235.0.X IP and in the logs i can see enable_udp:1 flag for UDP services and also all the ZTNA destinations in FortiClient.

 

The proxy-policy uses the security tag of all_registered_clients which is assigned to the computer in question and has destination all and ZTNA servers the ones below.

 

relevant FGT config:

config firewall vip     edit "LAB-AD_UDP"         set type access-proxy         set server-type https         set extip PUB-IP         set h3-support enable         set extintf "wan1"         set extport 11101         set ssl-certificate "wild-demo.lab"     next     edit "LAB-AD_TCP"         set type access-proxy         set server-type https         set extip PUB-IP         set extintf "wan1"         set extport 11102         set ssl-certificate "wild-demo.lab"     next end   config firewall access-proxy     edit "LAB-AD_UDP"         set vip "LAB-AD_UDP"         config api-gateway             edit 1                 set url-map "/tcp"                 set service tcp-forwarding                 config realservers                     edit 1                         set address "demo.lab"                         set mappedport 53 88 123 137 138 389 636                      next                 end             next         end     next     edit "LAB-AD_TCP"         set vip "LAB-AD_TCP"         config api-gateway             edit 1                 set url-map "/tcp"                 set service tcp-forwarding                 config realservers                     edit 1                         set address "demo.lab"                         set mappedport 53 88 135 389 445 636 3268 3269 1024-65535                      next                 end             next         end 	end end

 

Relevant FCT logs for part of the UDP services:

[2025-09-30 12:17:48.1501869] [fortitcs] *************************************** [2025-09-30 12:17:48.1501915] [fortitcs] name: demo.lab:53,88,123,137,138,389,636 [2025-09-30 12:17:48.1501961] [fortitcs] type: tcp-fwd [2025-09-30 12:17:48.1502001] [fortitcs] mode: transparent [2025-09-30 12:17:48.1502047] [fortitcs] destination: demo.lab:53,88,123,137,138,389,636 [2025-09-30 12:17:48.1502087] [fortitcs] gateway: PUB-IP:11101 [2025-09-30 12:17:48.1502133] [fortitcs] enable_udp: 1 [2025-09-30 12:17:48.1502173] [fortitcs] latencies: 8760h0m0s [2025-09-30 12:17:48.1502209] [fortitcs] encryption: 0 [2025-09-30 12:17:48.1502249] [fortitcs] enble_udp: 1 [2025-09-30 12:17:48.1502288] [fortitcs] FQDN: demo.lab [2025-09-30 12:17:48.1502321] [fortitcs] FQDN_flag: 0 [2025-09-30 12:17:48.1502358] [fortitcs] IPStart: 10.235.0.1 [2025-09-30 12:17:48.1502394] [fortitcs] IPEnd: 10.235.0.1 [2025-09-30 12:17:48.1502433] [fortitcs] SubnetMask: 255.255.255.255 [2025-09-30 12:17:48.1502476] [fortitcs] PortStart: 53 [2025-09-30 12:17:48.1502509] [fortitcs] PortEnd: 53

 

When I try to AD join the computer:

Note: This information is intended for a network administrator.  If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\Windows\debug\dcdiag.txt.  The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "demo.lab": The error was: "DNS name does not exist." (error code 0x0000232B RCODE_NAME_ERROR) The query was for the SRV record for _ldap._tcp.dc._msdcs.demo.lab  Common causes of this error include the following: - The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses: 8.8.8.8   C:\Users\Administrator>ping demo.lab Pinging demo.lab [10.235.0.1] with 32 bytes of data: Reply from PUB-IP: Destination net unreachable.

 

4 replies

Markus_M
Staff & Editor
Markus_M
Staff & Editor
September 30, 2025

That could be tricky. This part here is the problem and you could trace it with a packet capture (DNS, showing an SRV record query).

 

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "demo.lab": The error was: "DNS name does not exist." (error code 0x0000232B RCODE_NAME_ERROR) The query was for the SRV record for _ldap._tcp.dc._msdcs.demo.lab

 

If I understand correctly, you already will have done so and maybe have seen that this may not go through; the DNS server in question must be one that can answer that query, which is typically only on-prem. With ZTNA, is the user on prom? What DNS server is the user using?

    funkylicious
    SuperUser
    funkyliciousAuthor
    SuperUser
    September 30, 2025

    in a remote scenario, the user would use a public DNS server like 8.8.8.8 or whatever the DHCP server will provide.

     

    i have tried using 10.235.0.1, which from my understanding would the the FortiGate - on it i have created the dns zone for demo.lab as primary/shadow, where I have an entries for other hosts and the rest of the queries are forwarded to the real DNS/AD server which can resolve them - 192.168.200.201 in my case ( demo.lab - ip address ) 

     

    whenever i try to do a nslookup with any combination of DNS server:

    [2025-09-30 13:09:15.3691079] [fortitcs] FindFQDNFromDoh: IP=10.235.0.1 Port=53 FQDN=demo.lab [2025-09-30 13:09:15.3691343] [fortitcs] UpdateDnsRedirectEntry: Ip=183173121 Port=53 RealIp=0 Fqdn=demo.lab Flag=0 [2025-09-30 13:09:15.3691522] [fortitcs] UpdateFQDNIpAndPort: get real_ip: 10.235.0.1fqdn: demo.lab [2025-09-30 13:09:15.3692212] [fortitcs] enable_udp == 0 [2025-09-30 13:09:18.8966914] [fortitcs] Found virtual IP for demo.lab.   C:\Users\Administrator>nslookup demo.lab 8.8.8.8 Server:  dns.google Address:  8.8.8.8 Non-authoritative answer: Name:    demo.lab Address:  10.235.0.1   C:\Users\Administrator>nslookup demo.lab 10.235.0.1 DNS request timed out.     timeout was 2 seconds. Server:  UnKnown Address:  10.235.0.1 Non-authoritative answer: Name:    demo.lab Address:  10.235.0.1   C:\Users\Administrator>nslookup demo.lab 192.168.200.201 DNS request timed out.     timeout was 2 seconds. Server:  UnKnown Address:  192.168.200.201 Non-authoritative answer: Name:    demo.lab Address:  10.235.0.1   C:\Users\Administrator>nslookup google.com 192.168.200.201 DNS request timed out.     timeout was 2 seconds. Server:  UnKnown Address:  192.168.200.201  C:\Users\Administrator>nslookup google.com 10.235.0.1 DNS request timed out.     timeout was 2 seconds. Server:  UnKnown Address:  10.235.0.1  C:\Users\Administrator>nslookup google.com 8.8.8.8 Server:  dns.google Address:  8.8.8.8  Non-authoritative answer: Name:    google.com

     

    I've also tried creating a ZTNA server to proxy all DNS traffic to the private DNS server which should solve them all, but doesnt seem to really work

    config firewall vip     edit "LAB-AD_DNS"         set type access-proxy         set server-type https         set extip PUB-IP         set h3-support enable         set extintf "wan1"         set extport 11104         set ssl-certificate "wild-demo.lab"     next end   config firewall access-proxy     edit "LAB-AD_DNS"         set vip "LAB-AD_DNS"         config api-gateway             edit 1                 set url-map "/tcp"                 set service tcp-forwarding                 config realservers                     edit 1                         set address "host_192.168.200.201"                         set mappedport 53                      next                 end             next         end     next end
     
     
    "jack of all trades, master of none"
      barisben
      barisben
      New Member
      December 4, 2025

      Is there any solution for this issue?

      funkylicious
      SuperUser
      funkyliciousAuthor
      SuperUser
      December 4, 2025

      havent found a solution to this scenario and i have stopped testing stuff.

      "jack of all trades, master of none"
        AEK
        SuperUser
        AEK
        SuperUser
        December 4, 2025

        As ZTNA doesn't inject DNS server like SSL/IPsec VPN does, I think one possible workaround is to set the primary DNS server (AD) manually on the client.

        AEK
          funkylicious
          SuperUser
          funkyliciousAuthor
          SuperUser
          December 5, 2025

          i did try this, doesnt seem to work or I did something wrong on the ZTNA server from the first post.

          "jack of all trades, master of none"
          JeanNeptune
          JeanNeptune
          New Member
          February 5, 2026

          Hi,

          Anyone was able to resolve FQDN to IP using internal Active Directory DNS while connected to the FortiClient ZTNA?

           

          Thanks

          Terms & ConditionsAccessibility statement