Applies to: All versions of Centrify DirectControl
How to troubleshoot DNS issues?
Here is a summary of the most common DNS issues, namely a UNIX box pointing to a DNS setup that knows nothing about the Windows domain.
This is by far the most common issue. When entering "adjoin foo.com", the UNIX system must be able to see foo.com via DNS.
If foo.com is a test domain, it is almost certain that the UNIX box will NOT be able to see the domain.
How to tell if this is the case:
Running "ping foo.com" will help:
[pmoore@caterpillar pmoore]$ ping centrify.com
PING centrify.com (172.27.20.10) 56(84) bytes of data.
64 bytes from centrify-dc.centrify.com (172.27.20.10): icmp_seq=1 ttl=128 time=0.142 ms
64 bytes from centrify-dc.centrify.com (172.27.20.10): icmp_seq=2 ttl=128 time=0.228 ms
64 bytes from centrify-dc.centrify.com (172.27.20.10): icmp_seq=3 ttl=128 time=0.233 ms
The only time when it is acceptable that it doesn’t work is if the domain controller is not being used as the DNS server (i.e. using a UNIX DNS server).
If that is the case, try "ping dc1.foo.com". Note that if a non AD DNS server is being used then there is a lot of work to do on the DNS Server (Please see the Admin Guide).
How can this be fixed?:
Set /etc/resolv.conf to point to the domain controller. Note that if the UNIX box gets its IP address via DHCP, then it’s almost certain that the /etc/resolv.conf file is configured by DHCP to point to where-ever the DHCP server says the DNS should be; the DHCP will keep changing it back to the DHCP-preferred values even after manually editing.
Note that one cannot add a second entry in the /etc/resolv.conf file. These entries are not tried in sequence, it only tries the second entry if the first DNS server fails to answer at all; the assumption is that all the DNS servers have the same data .
Add an entry to the DNS server that the UNIX box does point to. This entry should delegate foo.com to the foo.com DC; however this is not the best practice in the deployed organizations.
Put the domain controller in /etc/hosts and add it to the CDC configuration file. fixdns will also do this.
In Case A) or B), ping foo.com should now work.
Now run adinfo --diag foo.com and look for:
Locating global catalogs for centrify.com from DNS
Found SRV records:
Locating domain controllers for centrify.com from DNS
Found SRV records:
This shows that the DNS server was contacted and found the data needed.
For Case C, there are no more tests to perform except trying to join the domain.