topic Why doesn't SVM only communicate with DNS via port 636 ? in Network and Storage Protocols

Why doesn't SVM only communicate with DNS via port 636 ?

Michael_K — Wed, 04 Jun 2025 10:00:15 GMT

Hello community,

we have a problem that we are noticing now for the first time. We are currently using ONTAP 9.8P11 on FAS2750.

Our network administrators would like to use port 636 for communication with the DNS.

A newly created CIFS-SVM - so far without productive use - connects to DNS via port 636 (-use-ldaps-for-ad-ldap is set o true / Root CA was createtd before) when it is accessed for the first time.

All further access - although we don't even know why this is happening (there are no accesses from CIFS clients yet!) - are again taking place via port 389? Why?

The parameters for the SVM are set as follows:

FAS27DX1::> vserver cifs security show -vserver SVM_xxxxx

Vserver: SVM_xxxxx

Kerberos Clock Skew: 5 minutes

Kerberos Ticket Age: 10 hours

Kerberos Renewal Age: 7 days

Kerberos KDC Timeout: 3 seconds

Is Signing Required: true

Is Password Complexity Required: true

Use start_tls for AD LDAP connection: false

Is AES Encryption Enabled: false

LM Compatibility Level: lm-ntlm-ntlmv2-krb

Is SMB Encryption Required: false

Client Session Security: none

SMB1 Enabled for DC Connections: false

SMB2 Enabled for DC Connections: system-default

LDAP Referral Enabled For AD LDAP connections: false

Use LDAPS for AD LDAP connection: true

Encryption is required for DC Connections: false

FASxxxxx::>

Can anyone explain this behavior?

Why is only the first access via port 636 and the others via 389?

What is to be done so that only port 636 is used?

Why is there access to the DNS at all if the SVM is not yet productive? (our networkers have determined that this behavior probably occurs every 4 hours - See also graphic "ADROOT-LOG.jpg".).

I am grateful for any help.

Best regards

Michael

Re: Why doesn't SVM only communicate with DNS via port 636 ?

Vijay_ramamurthy — Mon, 30 May 2022 13:06:09 GMT

Hi Michael,

Also 636 is only for ONTAP to AD-LDAP connections and for DNS it will always connect to port 53( UDP and if needed TCP).

When CIFS server is created on the SVM . Domain Controller Discovery (DC Discovery) is an automatic procedure triggered by ONTAP every 4 hours.
It is explained in the KB below and is the reason why you see connections happening between ONTAP SVM and DNS every 4 hour interval.
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/What_is_Domain_Controller_Discovery

With "Use LDAPS for AD LDAP connection" set to TRUE , ONTAP will only use port 636 for AD-LDAP connections.

https://docs.netapp.com/us-en/ontap/nfs-admin/ldaps-concept.html#terminology

Could you please check if the 389 LDAP connections are happening via the same SVM LIF of the SVM which has LDAPS for AD LDAP connection set to TRUE or the connections are initiated using a different different SVM LIF?

Re: Why doesn't SVM only communicate with DNS via port 636 ?

Michael_K — Tue, 31 May 2022 06:49:37 GMT

Hello Vijay,

thank you very much for your answer.

I have now understood the periodic access every 4 hours.

What irritates me is your question with which LIF the connection is established ("the same SVM LIF of the SVM which has LDAPS for AD LDAP connection set to TRUE or the connections are initiated using a different different SVM LIF").

I did set up LDAPS for the CIFS-SVM (cifs security modify -vserver SVM_xxxxx -use-ldaps-for-ad-ldap true) - so for all LIFs of the SVM - didn't I? - Or is it possible to define individual LIFs accordingly?

Best regards

Michael

Re: Why doesn't SVM only communicate with DNS via port 636 ?

Vijay_ramamurthy — Tue, 31 May 2022 07:35:52 GMT

Hi Michael,

Sorry for making the query complex.

Let me reframe the question

Since you have enabled "use-ldaps-for-ad-ldap" it is expected that for this SVM the AD-LDAP connection would happen via port 636.

And since you are seeing connections on port 389 as per the snippet shared , i just wanted to validate if the source IP address of this AD-LDAP(389 and 636 both) connection belongs to a LIF on this same SVM which has "use-ldaps-for-ad-ldap" set to true.

Also to answer your other question .

When you enable "use-ldaps-for-ad-ldap" , It is applicable for all the LIF's that belong to this SVM and we cannot define individual LIF's.