In Aria Operations via Administrator->Control Panel ->  Auth Sources , Edit Source for user and Group Import  for Active Directory, when the 'Auto' option is selected with SSL enabled, the selection criteria may choose a Domain Controller (DC) that is either online or offline. At times, Aria Operations does not allow users to gain access.

Aria Operation 8.18.x

• If your DNS SRV records include secure ports, Aria Operations will use those (636 or 3269). Otherwise, it defaults to insecure ports but upgrades the connection using STARTTLS. This protocol allows initiating a connection to an insecure endpoint, then upgrading it to TLS. During the initial insecure handshake, no secrets are transmitted—only a dummy request. This means that even if port 3268 is used, TLS is still applied underneath (as long as the "Use SSL/TLS" checkbox is selected).

  If a maintained DC allows LDAP connections but returns empty responses to Aria Operations queries, Aria Operations cannot distinguish between a DC under maintenance and a functional DC with no users.

  The only way Aria Operations can detect a failed DC and initiate failover is by encountering a connection error. Empty responses do not trigger a failover.

  To check how Aria Operations determines DC host order, run the following commands on the Aria Operations primary node: Aria Operations will pick the history order.

  nslookup -type=SRV _ldap._tcp.gc._msdcs.example.com
nslookup -type=SRV _ldap._tcp.dc._msdcs.example.com

  
  
  
• Ensure the Domain Controller (DC) does not respond to queries during maintenance.
  
  
• Review the maintenance schedule and manually adjust the DC host configuration in Aria Operations accordingly.