Hi engineers.

I need help with the Mikrotik hotspot and on-prem Windows AD. In this topology, we have two routers one Cisco and one Mikrotik CCR router. The AD server takes it's IP address and its connected to the Cisco router and the wireless clients takes it's IP's and are connected to the Mikrotik CCR router with hotspot enabled. End to end connectivity is established. WiFi Clients can ping AD and AD can ping WiFi clients also but when I try to join WiFi clients to the domain it fails. Windows firewall has been disabled but it still fails. But when I disable the hotspot server on the Mikrotik CCR I am able to join the WiFi clients to the domain. Also, I tried adding the AD's IP to the walled garden and walled garden IP list but still, I still cannot add the clients to the domain. But they work perfectly well when I disable the hotspot service on the Mikrotik router.

NB: Also we can't disable the hotspot service for good as we authenticate all wireless users who use the internet.

I would appreciate any support or help. Thanks in advance.

I hear Active Directory. First bet is DNS.

I suspect the hotspot clients are using Mikrotik DNS, which isn't going to the know the SRV/etc records needed for AD LDAP. You could confirm by setting a hotspot client's DNS to explicitly use Microsoft AD DNS servers. If that works, it's for sure DNS. Even if not, the firewall rules for hotspot redirect it to Mikrotik if I recall correctly... .

I'd eliminate DNS as a cause since you're saying ping & no-hotspot works. You can look at firewall rules to see if any do stuff with port 53. Assuming it's DNS, one workaround be to add static DNS entries on Mikrotik /ip/dns/static for the various "_ldap._tcp.dc._msdcs.example.com" (etc. etc.) SRV required for AD (or use the "FWD" static DNS to redirect *._msdcs.example.com to Microsoft DNS)

Hi Amm0.
Thanks for your help.

Wireless clients DNS settings is pointing to the two AD's., but still cannot join to domain. I created a FW rule to allow traffic to the AD-DNS and placed at the beginning of the FW rules but but still cannot connect. And hotspot dynamic rules are not doing anything with port 53. I have basically tried everything possible but still can't seem to get stuff working.

I think the issues are coming from these three filter and NAT rules.

Yeah realized after that DNS was already likely MS AD DNS.

I suppose another way to skin that are is set the Mikrotik DNS to your AD's DNS? Since I do think hotspot is sending all DNS to Mikrotik regardless of what DNS IP is used.

While you can have a firewall rule before that has a hotspot chain runs (or perhaps the the hotspot= fw filter matchers to do it), unwinding the dynamic hotspot FW rules take some tracing.

Kinda why I think just having Mikrotik use MS AD DNS upstream be one approach, or adding the AD SRV records to the Mikrotik DNS be another.

Hello Amm0,

It's working after setting the Mikrotik's DNS "IP > DNS > address" to the AD's DNS and i am getting the authentication dialogue box for the AD credentials.

First bet is DNS.

Good to hear.
It really is always DNS.