Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-0390: What is adclient.cache.expires and adclient.cache.object.lifetime

Authentication Service ,  

12 April,16 at 11:45 AM


In the centrifydc.conf, there are:

adclient.cache.expires: 1800
adclient.cache.object.lifetime: 0

How do they relate?



This configuration parameter specifies how long, in hours, an Active Directory object should remain in the domain controller cache. Setting the parameter value to 0 keeps objects in the cache indefinitely. When you set this parameter to 0, objects remain in the cache until they are deleted from Active Directory or the cache is manually flushed with the adflush command. If you don’t want objects to remain in the cache indefinitely, you can use this parameter to set the maximum amount of time an object should be available in the cache.

For example, if you want to set the maximum time for an object to be held in the cache to 12 hours, you can set this configuration parameters as follows:

adclient.cache.object.lifetime: 12

With this setting, object values can be retrieved from the local domain controller cache for 12 hours. At the end of the 12 hour period, however, the object is removed from the local cache and must be retrieved from Active Directory if it is needed again. If this parameter is not defined in the configuration file, its default value is 0.


This configuration parameter specifies the number of seconds before an object in the domain controller cache expires. This parameter controls how frequently the agent checks Active Directory to see if an object in the cache has been updated.

Every object retrieved from Active Directory is stamped with the system time when it enters the domain controller cache. Once an object expires, if it is needed again, the agent contacts Active Directory to determine whether to retrieve an updated object (because the object has changed) or renew the expired object (because no changes have been made). To make this determination, the agent checks the highestUSN for the expired object. If the value has changed, the agent retrieves the updated object. If the highestUSN has not changed, the agent resets the object’s timestamp to the new system time and retrieves the object from the cache.

If the agent is unable to contact Active Directory to check for updates to an expired object—for example because the computer is disconnected from the network—the agent returns the currently cached object until it can successfully contact Active Directory.

In most cases, you set this configuration parameter using the Computer Configuration > Policies > Centrify Settings > DirectControl Settings > Network and Cache Settings > Set object expiration group policy by selecting Enabled and specifying the maximum number of seconds for an object to be kept in the local cache. You can, however, set it manually in the configuration file if you aren’t using group policy or want to temporarily override group policy.

If you are manually setting this parameter, the parameter value must be a positive integer.

The following example sets the cache expiration time to 600 seconds (10 minutes):

adclient.cache.expires: 600

If this parameter is not defined in the configuration file, its default value is 3600 seconds (1 hour).

The adclient.cache.expires parameter defines the default cache expiration time for all objects types. You can override this default value for specific object types by appending the object type to the parameter name. For example, if you want to explicitly override the default expiration time for computer objects, you can define a different value for the parameter. The valid object types you can append to the parameter name to override the default value are: computer, extension, gc, group, search, user, user.membership and zone. Note that adclient.cache.expires.gc, if not set, does not default to the value of adclient.cache.expires, but has its own default value.

Related Articles

No related Articles