Hello community,
we have a problem that we are noticing now for the first time. We are currently using ONTAP 9.8P11 on FAS2750.
Our network administrators would like to use port 636 for communication with the DNS.
A newly created CIFS-SVM - so far without productive use - connects to DNS via port 636 (-use-ldaps-for-ad-ldap is set o true / Root CA was createtd before) when it is accessed for the first time.
All further access - although we don't even know why this is happening (there are no accesses from CIFS clients yet!) - are again taking place via port 389? Why?
The parameters for the SVM are set as follows:
FAS27DX1::> vserver cifs security show -vserver SVM_xxxxx
Vserver: SVM_xxxxx
Kerberos Clock Skew: 5 minutes
Kerberos Ticket Age: 10 hours
Kerberos Renewal Age: 7 days
Kerberos KDC Timeout: 3 seconds
Is Signing Required: true
Is Password Complexity Required: true
Use start_tls for AD LDAP connection: false
Is AES Encryption Enabled: false
LM Compatibility Level: lm-ntlm-ntlmv2-krb
Is SMB Encryption Required: false
Client Session Security: none
SMB1 Enabled for DC Connections: false
SMB2 Enabled for DC Connections: system-default
LDAP Referral Enabled For AD LDAP connections: false
Use LDAPS for AD LDAP connection: true
Encryption is required for DC Connections: false
FASxxxxx::>
Can anyone explain this behavior?
Why is only the first access via port 636 and the others via 389?
What is to be done so that only port 636 is used?
Why is there access to the DNS at all if the SVM is not yet productive? (our networkers have determined that this behavior probably occurs every 4 hours - See also graphic "ADROOT-LOG.jpg".).
I am grateful for any help.
Best regards
Michael
