Prisma Access
Active Directory Domain Services Support with ZTNA Connector
Table of Contents
Active Directory Domain Services Support with ZTNA Connector
Learn how Prisma Access ZTNA Connector provides support for Microsoft Active
Directory Domain Services using DNS SRV resolution and data center IP addresses.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
To enable this functionality, contact your Palo Alto Networks account representative or
partner, who will contact the Site Reliability Engineering (SRE) team and submit a
request.
Microsoft Active Directory Domain Services (AD DS) relies on a two-phase DNS resolution
process that requires special handling in Prisma Access ZTNA
deployments. When a Microsoft user joins a domain, it first makes a DNS SRV query to
identify domain controllers offering specific services, followed by CLDAP queries to
locate the optimal domain controller in the user's AD site.
Prisma Access ZTNA Connector now provides enhanced support for AD DS
environments through two key capabilities. First, it supports end-to-end DNS SRV
resolution, enabling users to discover domain controllers and their services. Second, it
provides a Use Data Center IP feature for application targets that preserves the
direct routing to domain controllers required by Microsoft's AD architecture.
In traditional ZTNA deployments, application targets are assigned Prisma
Access anycast IP addresses, and traffic undergoes destination network address
translation (DNAT). However, AD services might not function correctly over NAT. The
Use Data Center IP feature addresses this by treating the domain controller's
actual data center IP address as the fabric IP address, eliminating the need for DNAT in
the connection path.
To successfully implement ZTNA Connector for AD environments, you need to understand your
AD network design (hierarchical or flat), properly map ZTNA Connector groups to AD
sites, and configure appropriate wildcard and FQDN application targets. Configure each
ZTNA Connector's data center interface IP address within one of the AD Site's subnets to
ensure proper site awareness.
For System Center Configuration Manager (SCCM) deployments with ZTNA Connector, the
recommended approach is to use AD site mode rather than IP boundary mode. This ensures
the client communicates with the most efficient distribution point within its AD site,
optimizing software distribution, and updates.
ZTNA Connector also includes preconfigured port settings for Microsoft AD services
through Microsoft AD Firewall Ports that enable common protocols and ports used
by AD services, such as DNS, Kerberos, LDAP, SMB, and others, saving you time during
configuration while enabling customization as needed.
ZTNA Connectors forwards the SRV request to the domain controllers, which is
configured as the DNS Server for the Connectors. The response to the DNS SRV query from
the domain controllers is forwarded to the ZTTs and the mobile user. The mobile user
sends the same to the Microsoft Windows user. With this information, the Microsoft user
is able to join the Active Directory domain.
You need to use the domain controller IP when communicating with the domain
controllers.
Prerequisites
- For SCCM Client software installation, since ZTNA Connector does not allow server-initiated traffic, users have to use an alternative method of SCCM Client software installation.
- ZTNA Connector communicating with the domain controller must be a 2 ARM connector so that the LAN interface can have the DNS server as the domain controller.
Configuring Application Targets
When configuring the application targets:
- Review the ZTNA Connector Requirements and Guidelines.
- Configure ZTNA Connector.
- Go to and Create Wildcard Target.
- Add a unique Name, assign a Connector Group, and add a domain in Wildcard.
- (Optional) If you're adding a wildcard target or an FQDN target to
access a Microsoft AD data center, Enable Microsoft AD Firewall
Ports to prepopulate TCP and UDP ports required for AD, and then
Confirm.
![]()
- (Optional) If you are adding a wildcard target or an FQDN target to
access a Microsoft AD data center, enable Keep Data Center IP
Address, and then Confirm.For Microsoft AD networks, it's essential to utilize this option. Microsoft users must communicate (without involving DNAT translation of the domain controller's IP address) with the domain controllers using the native data center IP address of the domain controller within the network. If the application is compatible with DNS proxy and DNAT translation, this option isn't necessary.When you enable Keep Data Center IP Address, the applications don't get an IP address from the application pool. The original IP address of the application that the ZTNA Connector resolves, will be advertised in the Prisma Access Infrastructure.For FQDN applications learned from Keep Data Center IP Address wildcards or manually added FQDNs set as Keep Data Center IP Address targets, the IP address displayed in the application table indicates the specific data center IP address.
