All versions of Centrify DirectControl.
It is noticed that in a couple of Centrify servers behind a firewall, the Centrify adclient "disconnects" several times per day. Is there any reason?
Local host name: server2
Joined to domain: xyz.com
Joined as: server2.xyz.com
Pre-win2K name: server2
Current DC: dc.xyz.com
Preferred site: Charlotte
CentrifyDC mode: connected
These servers are behind a firewall that is only is allowed connectivity to 4 domain controllers all in the same site.
The following lines were added to /etc/centrifydc/centrifydc.conf file to limit its attempt to use other Domain controllers:
dns.dc.xyz.com: dc1.xyz.com dc2.xyz.com dc3.xyz.com dc4.xyz.com
dns.gc.xyz.com: dc1.xyz.com dc2.xyz.com dc3.xyz.com dc4.xyz.com
The Firewall team determined the there were no DNS query drops on across the firewall. They noted, however, they are seeing attempts to connect to Domain Controllers outside of the four that are specified. Any reason?
The reason why Centrify disconnects or creates those unwanted connections to other DCs is because of a parameter called "adclient.ldap.trust.enabled" in /etc/centrifydc/centrifydc.conf file.This configuration parameter specifies whether you want to allow Centrify DirectControl to query trusted domains and forests for transitive trust information. The parameter’s value can be true or false. If you set this parameter to true, Centrify DirectControl generates a krb5.conf that includes information from all trusted forests and can be used to authenticate cross-forest users to Kerberos applications. If you set this parameter to false, Centrify DirectControl does not query external trusted domains or forests for information. In the above scenario, Centrify tried to reach other DCs in trusted domains and since they were not hardcoded, it got disconnected momentarily.
By default, the parameter adclient.ldap.trust.enabled is set for true in /etc/centrifydc/centrifydc.conf. You need to edit the centrifydc.conf file (you can also use Group Policies too), uncomment & make it false.
Additionally, you can block the unwanted domains as reported in the debug logs using the below parameters in the /etc/centrifydc/centrifydc.conf file.
Other parameters like adclient.dns.response.maxtime & adclient.ldap.timeout can also be bumped to higher values across slow networks.
Changes to /etc/centrifydc/centrifydc.conf will require the issuance of the command adreload (to re-read the parameters) and adflush (to clear cache)
For more details on the above parameters, please refer to the Centrify DirectControl Config reference guide.