Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1683: How does Centrify work with Microsoft RODC (Read only Domain Controller)

Authentication Service ,  

12 April,16 at 11:12 AM

Applies to: All versions of Centrify DirectControl on Microsoft RODC (Read Only Domain Controller).
 
Question:
Does Centrify product work with Microsoft's Read Only Domain Controller (RODC) located in the DMZ?
 
Answer:
The short answer is not "out of the box". In the current release of Centrify which is 5.0 at the time of writing this KB, Centrify (adclient) requires RWDC (ReadWrite Domain Controller) to do adjoin/adleave and also do the machine password change (this defaults to 28 days). So, customer needs to open the relevant ports to RWDC (Read/Write DC) for the Unix servers (Please follow KB-0029: Firewall port settings for Centrify Direct Control).

The alternative is to do an adjoin with RWDC, then move the machine into DMZ, and then disable machine password change (In /etc/centrifydc/centrifydc.conf, the following parameter adclient.krb5.password.change.interval can be made 0; the default is 28 days; centrify must be started or adreload must be run). 

There are other things that will not work like updating machine profile (like OS level) in CDC console, but these are NOT really critical for the product to work. 

Centrify realizes that this is a critical problem, and we addressed this issue in the 4.4.4 release but for customers who have moved to 5.0.2 release, can upgrade to 5.1 release and follow these steps.

The fix is that adclient will execute all the necessary changes/updates of AD through RODC to RWDC. 
 
For 2012 (4.4.4)
For more explanation on what RODC means, please check the below links.
 
​Centrify does not take any responsibility for the content and availability of these links and they were provided as a courtesy only.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-7505: Unable to join zone against a Read-Only Domain Controller that exists in AWS articleKB-6041: How to show current license type in use by adclient articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6028: Getting Started with Office 365 and the Centrify Identity Service - Configuration Overview articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-3444: Authentication fails when kvno values go out of sync in RODC environments