Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-0171: Troubleshooting DNS issues

Centrify DirectAudit ,   Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:11 AM

Applies to: All versions of Centrify DirectControl
 
Question:
 
How to troubleshoot DNS issues? 
 

Answer:
 
Here is a summary of the most common DNS issues, namely a UNIX box pointing to a DNS setup that knows nothing about the Windows domain. 
This is by far the most common issue. When entering "adjoin foo.com", the UNIX system must be able to see foo.com via DNS. 
If foo.com is a test domain, it is almost certain that the UNIX box will NOT be able to see the domain. 
 

How to tell if this is the case:
 
Running "ping foo.com" will help: 
 
[pmoore@caterpillar pmoore]$ ping centrify.com 
PING centrify.com (172.27.20.10) 56(84) bytes of data. 
64 bytes from centrify-dc.centrify.com (172.27.20.10): icmp_seq=1 ttl=128 time=0.142 ms 
64 bytes from centrify-dc.centrify.com (172.27.20.10): icmp_seq=2 ttl=128 time=0.228 ms 
64 bytes from centrify-dc.centrify.com (172.27.20.10): icmp_seq=3 ttl=128 time=0.233 ms 
 
The only time when it is acceptable that it doesn’t work is if the domain controller is not being used as the DNS server (i.e. using a UNIX DNS server). 
If that is the case, try "ping dc1.foo.com". Note that if a non AD DNS server is being used then there is a lot of work to do on the DNS Server (Please see the Admin Guide). 
 
How can this be fixed?:
 
 
Case A) 
 
Set /etc/resolv.conf to point to the domain controller. Note that if the UNIX box gets its IP address via DHCP, then it’s almost certain that the /etc/resolv.conf file is configured by DHCP to point to where-ever the DHCP server says the DNS should be; the DHCP will keep changing it back to the DHCP-preferred values even after manually editing.
 
Note that one cannot add a second entry in the /etc/resolv.conf file. These entries are not tried in sequence, it only tries the second entry if the first DNS server fails to answer at all; the assumption is that all the DNS servers have the same data .
 
Case B) 
 
Add an entry to the DNS server that the UNIX box does point to. This entry should delegate foo.com to the foo.com DC; however this is not the best practice in the deployed organizations. 
 
 
Case C) 
 
Put the domain controller in /etc/hosts and add it to the CDC configuration file. fixdns will also do this. 
 
 
In Case A) or B), ping foo.com should now work. 
 
Now run adinfo --diag foo.com and look for:
 
Locating global catalogs for centrify.com from DNS 
Found SRV records: 
olympia.centrify.com:3268 
backup-dc.centrify.com:3268 
centrify-dc.centrify.com:3268 
Locating domain controllers for centrify.com from DNS 
Found SRV records: 
backup-dc.centrify.com:389 
olympia.centrify.com:389 
centrify-dc.centrify.com:389 
 
This shows that the DNS server was contacted and found the data needed. 
 
For Case C, there are no more tests to perform except trying to join the domain.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.