Applies to: All versions of Centrify DirectControl 4.4.x and above on all supported platforms
Question:
Is it possible to prevent Centrify agent (adclient) from connecting to unreachable Domain Controllers (DCs) and GCs (Global Catalog) in AD. Essentially 'blacklist' them?
Answer:
Yes, please use the dns.block parameter in /etc/centrifydc/centrifydc.conf to block unwanted/unreachable DCs and GCs in AD environment. Run the command adreload for changes to go into effect. For more details, please see page 96 of the below URL for more info or the extract
dns.block
This configuration parameter specifies the list of domain controllers that should be filtered out when resolving the domain controller to contact through DNS. This configuration parameter enables you to prevent the Centrify DirectControl Agent (adclient) from attempting to contact domain controllers that are known to be inaccessible, for example, because they reside behind a firewall, or domain controllers that shouldn’t be contacted, for example, because of their physical location or because they are no longer valid domain controllers for the site.
The parameter value can be one or more fully-qualified domain controller server names. If you are specifying more than one domain controller name, the names can be separated by commas or spaces.
For example:
dns.block: ginger.ajax.org,salt.ajax.org,nc1.sea.ajax.org
OR thru GP
"Computer Configuration" -> Centrify Settings -> DirectControl Settings -> Network and Cache Settings -> Blacklist DNS DC hostnames
NOTE:
If you don’t specify a value for this parameter, access is not blocked for any domain controllers or global catalog controllers.